craftcms/cms vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the craftcms/cms package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Arbitrary Code Injection	>=4.0.0-RC1, <4.16.5>=5.0.0-RC1, <5.8.7
H Arbitrary Code Injection	>=4.13.8, <4.16.3>=5.5.8, <5.8.4
C Arbitrary Code Injection	>=3.0.0-RC1, <3.9.15>=4.0.0-RC1, <4.14.15>=5.0.0-RC1, <5.6.17
M External Control of Assumed-Immutable Web Parameter	<4.15.3>=5.0.0-alpha.1, <5.7.5
H Improper Neutralization of Special Elements Used in a Template Engine	>=4.0.0-RC1, <4.14.13>=5.0.0-RC1, <5.6.15
H Arbitrary Code Injection	>=4.0.0-RC1, <4.13.8>=5.0.0-RC1, <5.5.5
C Command Injection	>=4.0.0-RC1, <4.13.2>=5.0.0-RC1, <5.5.2
H Access Control Bypass	>=4.0.0-RC1, <4.12.5>=5.0.0-RC1, <5.4.6
H Files or Directories Accessible to External Parties	>=3.5.13, <4.12.1>=5.0.0-alpha.1, <5.4.2
H Arbitrary Code Injection	>=4.0.0-RC1, <4.12.2>=5.0.0-RC1, <5.4.3
M Cross-site Scripting (XSS)	>=5.0.0, <5.1.2
M Improper Authentication	>=5.0.0-beta.1, <5.2.3
H SQL Injection	<3.7.32
H Unrestricted Upload of File with Dangerous Type	<2.6.3001
M URL Redirection to Untrusted Site ('Open Redirect')	<2.6.2976
M Cross-site Scripting (XSS)	<3.0.41
M Improper Privilege Management	>=3.0.0, <3.9.6>=4.0.0-RC1, <4.5.11
C Remote Code Execution (RCE)	>=4.0.0-RC1, <4.4.15
H Remote Code Execution (RCE)	>=3.0.0, <3.8.15>=4.0.0-RC1, <4.4.15
M Cross-site Scripting (XSS)	<2.6.2976
M Cross-site Scripting (XSS)	<2.6.2982
M Cross-site Scripting (XSS)	<2.6.2974
M Access Restriction Bypass	<2.6.2976
M Improper Input Validation	<4.4.12
M Server-side Request Forgery (SSRF)	<4.4.2
M Cross-site Scripting (XSS)	<4.4.12
M Cross-site Scripting (XSS)	>=4.3.0, <4.4.6
M Cross-site Scripting (XSS)	>=3.0.0, <3.8.6>=4.0.0-RC1, <4.4.6
M Cross-site Scripting (XSS)	>=4.0.0-rc1, <4.4.6
M Cross-site Scripting (XSS)	>=4.0.0-rc1, <4.4.7
H Remote Code Execution (RCE)	>=4.0.0, <4.4.6
H Arbitrary Code Execution	<3.9.11
M Cross-site Scripting (XSS)	<3.8.4>=4.0.0, <4.4.4
M Cross-site Scripting (XSS)	<3.7.68
M Cross-site Scripting (XSS)	<4.3.7
M Cross-site Request Forgery (CSRF)	>=3.0.0, <3.7.33
M Cross-site Scripting (XSS)	<3.7.51>=4.0.0-alpha.1, <4.2.1
M Cross-site Scripting (XSS)	<4.2.1
M Cross-site Scripting (XSS)	<4.2.1
M Cross-site Scripting (XSS)	<4.2.1
M Cross-site Scripting (XSS)	<4.2.1
M Access Restriction Bypass	>=0.0.0
M Cross-site Scripting (XSS)	<3.7.29
L CSV Injection	<3.7.14
M Cross-site Scripting (XSS)	<3.6.0
M Remote Code Execution (RCE)	<3.6.7
M Cross-site Scripting (XSS)	<3.6.13
M Cross-site Scripting (XSS)	<3.1.33
M Brute Force	<3.1.7
H Cross-site Scripting (XSS)	<3.3.8
H Information Exposure	<2.7.10>=3.0.0, <3.2.6
M Cross-site Scripting (XSS)	<3.1.31

Vulnerability

Vulnerable Version

Arbitrary Code Injection

>=4.0.0-RC1, <4.16.5>=5.0.0-RC1, <5.8.7