Brad Bell

10 exploits Active since Mar 2021
CVE-2023-36260 WRITEUP HIGH WRITEUP
Feed Me plugin 4.6.1 for Craft CMS - Denial of Service via Crafted Feed-Me Name and URL Fields
An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS. It allows remote attackers to cause a denial of service (DoS) via crafted strings to Feed-Me Name and Feed-Me URL fields, due to saving a feed using an Asset element type with no volume selected. NOTE: this is not a report about code provided by the Craft CMS product; it is only a report about the Feed Me plugin. NOTE: a third-party report states that commit b5d6ede51848349bd91bc95fec288b6793f15e28 has "nothing to do with security."
CVSS 7.5
CVE-2024-21622 WRITEUP MEDIUM WRITEUP
Craft CMS 3.0.0-3.9.5 and 4.0.0-RC1-4.4.15 - Privilege Escalation
Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.
CVSS 5.4
CVE-2026-29172 WRITEUP HIGH WRITEUP
Craft Commerce <4.10.2/5.5.3 - SQL Injection
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an authenticated attacker to inject arbitrary SQL into the ORDER BY clause. This vulnerability is fixed in 4.10.2 and 5.5.3.
CVSS 8.8
CVE-2026-29173 WRITEUP MEDIUM WRITEUP
Craft Commerce 4.0.0-4.10.1 - Stored Cross-Site Scripting in Order Status Update
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This vulnerability is fixed in 4.10.2 and 5.5.3.
CVSS 4.8
CVE-2026-29174 WRITEUP HIGH WRITEUP
Craft Commerce <5.5.3 - SQL Injection
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise. This vulnerability is fixed in 5.5.3.
CVSS 8.8
CVE-2020-19626 WRITEUP MEDIUM WRITEUP
Craft CMS 3.1.31 - Stored Cross-Site Scripting via Site Settings
Cross Site Scripting (XSS) vulnerability in craftcms 3.1.31, allows remote attackers to inject arbitrary web script or HTML, via /admin/settings/sites/new.
CVSS 5.4
CVE-2023-30177 WRITEUP MEDIUM WRITEUP
CraftCMS < 3.7.68 - Stored Cross-Site Scripting via Volume Name
CraftCMS 3.7.59 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.
CVSS 6.1
CVE-2023-40035 WRITEUP HIGH WRITEUP
Craft CMS 3.0.0-3.8.14 and 4.0.0-RC1-4.4.14 - Authenticated Remote Code Execution via Path Validation Bypass
Craft is a CMS for creating custom digital experiences on the web and beyond. Bypassing the validatePath function can lead to potential remote code execution. This vulnerability can lead to malicious control of vulnerable systems and data exfiltrations. Although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution). This issue has been patched in version 4.4.15 and version 3.8.15.
CVSS 7.2
CVE-2024-21622 WRITEUP MEDIUM WRITEUP
Craft CMS 3.0.0-3.9.5 and 4.0.0-RC1-4.4.15 - Privilege Escalation
Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.
CVSS 5.4
CVE-2025-57811 WRITEUP HIGH WRITEUP
Craft CMS 4.0.0-RC1-4.16.5 and 5.0.0-RC1-5.8.6 - Remote Code Execution via Twig SSTI
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
CVSS 7.2