Vulnerabilities in CraftCMS
99 resultsCVE-2026-44012HIGHCraft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information DisclosureEPSS 0.3%CVE-2026-29173LOWCraft Commerce has Stored XSS while updating Order Status from Orders TableEPSS 0.3%CVE-2026-25491LOWCraft has a Stored XSS in Entry Types NameEPSS 0.3%CVE-2026-33159MEDIUMCraft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted usersEPSS 0.3%CVE-2026-25482MEDIUMCraft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)EPSS 0.3%CVE-2026-32272HIGHCraft Commerce: Blind SQL Injection via hasVariant/hasProductEPSS 0.3%CVE-2026-25483MEDIUMCraft Commerce has Stored XSS via Order Status Message with potential database exfiltrationEPSS 0.3%CVE-2026-32270LOWCraft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous paymentsEPSS 0.3%CVE-2026-32262MEDIUMCraft CMS has a Path Traversal Vulnerability in AssetsControllerEPSS 0.3%CVE-2026-33162MEDIUMCraft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissionsEPSS 0.3%CVE-2026-31867MEDIUMCraft Commerce has a Potential IDOR in Commerce cartsEPSS 0.3%CVE-2026-25489MEDIUMCraft Commerce has Stored XSS in Tax Zones (Name & Description) Leading to Potential Privilege EscalationEPSS 0.3%CVE-2026-41129MEDIUMCraft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads MutationsEPSS 0.3%CVE-2026-29069MEDIUMCraft has an unauthenticated activation email trigger with potential user enumerationEPSS 0.3%CVE-2026-25485MEDIUMCraft Commerce has Stored XSS in Shipping Categories (Name & Description) Fields Leading to Potential Privilege EscalationEPSS 0.3%CVE-2026-25488MEDIUMCraft Commerce has Stored XSS in Tax Categories (Name & Description) Fields Leading to Potential Privilege EscalationEPSS 0.3%CVE-2026-25522MEDIUMCraft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege EscalationEPSS 0.3%CVE-2026-25487MEDIUMCraft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege EscalationEPSS 0.3%CVE-2026-25484MEDIUMCraft Commerce has Stored XSS in Product Type NameEPSS 0.3%CVE-2026-25490MEDIUMCraft Commerce has Stored XSS in Inventory Location Address Leading to Potential Privilege EscalationEPSS 0.3%