brandonkelly

56 exploits Active since May 2021
CVE-2026-28782 WRITEUP MEDIUM WRITEUP
Craft CMS <5.9.0-beta.1/4.17.0-beta.1 - Privilege Escalation
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
CVSS 4.3
CVE-2026-29069 WRITEUP MEDIUM WRITEUP
Craft CMS <5.9.0-beta.2/4.17.0-beta.2 - Auth Bypass
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.
CVSS 5.3
CVE-2026-27126 WRITEUP MEDIUM WRITEUP
Craft CMS 4.5.0-RC1-4.16.18/5.0.0-RC1-5.8.22 - XSS
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.
CVSS 4.8
CVE-2026-27127 WRITEUP MEDIUM WRITEUP
Craft CMS 4.5.0-RC1-4.16.18/5.0.0-RC1-5.8.22 - SSRF
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
CVSS 6.3
CVE-2026-27128 WRITEUP MEDIUM WRITEUP
Craft CMS 4.5.0-RC1-4.16.18/5.0.0-RC1-5.8.22 - Auth Bypass
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.
CVSS 4.8
CVE-2026-27129 WRITEUP MEDIUM WRITEUP
Craft CMS 4.5.0-RC1-4.16.18/5.0.0-RC1-5.8.22 - SSRF
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
CVSS 6.5
CVE-2021-32470 WRITEUP MEDIUM WRITEUP
Craftcms Craft Cms < 3.6.13 - XSS
Craft CMS before 3.6.13 has an XSS vulnerability.
CVSS 6.1
CVE-2022-37246 WRITEUP MEDIUM WRITEUP
Craftcms Craft Cms < 4.2.1 - XSS
Craft CMS 4.2.0.1 is affected by Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js and in specific on the line label: elementInfo.label.
CVSS 5.4
CVE-2022-37247 WRITEUP MEDIUM WRITEUP
Craftcms Craft Cms < 4.2.1 - XSS
Craft CMS 4.2.0.1 is vulnerable to stored a cross-site scripting (XSS) via /admin/settings/fields page.
CVSS 5.4
CVE-2022-37248 WRITEUP MEDIUM WRITEUP
Craftcms Craft Cms < 4.2.1 - XSS
Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via src/helpers/Cp.php.
CVSS 5.4
CVE-2022-37250 WRITEUP MEDIUM WRITEUP
Craftcms Craft Cms < 4.2.1 - XSS
Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in /admin/myaccount.
CVSS 5.4
CVE-2023-2817 WRITEUP MEDIUM WRITEUP
Craft CMS <=4.4.11 - XSS
A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.
CVSS 5.4
CVE-2023-31144 WRITEUP MEDIUM WRITEUP
Craft CMS <3.8.4-4.4.4 - XSS
Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4.
CVSS 6.1
CVE-2023-33194 WRITEUP LOW WRITEUP
Craft CMS <4.4.6 - XSS
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.
CVSS 3.7
CVE-2023-33195 WRITEUP MEDIUM WRITEUP
Craft <4.4.5 - XSS
Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.
CVSS 5.0
CVE-2023-33196 WRITEUP MEDIUM WRITEUP
Craft <4.4.6 - XSS
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVSS 5.5
CVE-2023-33197 WRITEUP MEDIUM WRITEUP
Craft <4.4.5 - XSS
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.
CVSS 5.5
CVE-2024-45406 WRITEUP MEDIUM WRITEUP
Craft CMS 5 - Stored XSS
Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.
CVSS 5.5
CVE-2024-52293 WRITEUP HIGH WRITEUP
Craft <4.12.2, <5.4.3 - RCE
Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.
CVSS 7.2
CVE-2025-23209 WRITEUP HIGH WRITEUP
Craftcms Craft Cms < 4.13.8 - Code Injection
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.
CVSS 8.0
CVE-2025-54417 WRITEUP HIGH WRITEUP
Craftcms Craft Cms < 4.16.3 - Code Injection
Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.
CVSS 8.8
CVE-2025-57811 WRITEUP HIGH WRITEUP
Craftcms Craft Cms < 4.16.6 - Remote Code Execution
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
CVSS 7.2
CVE-2025-68436 WRITEUP MEDIUM WRITEUP
Craftcms Craft Cms < 4.16.17 - Information Disclosure
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
CVSS 6.5
CVE-2025-68454 WRITEUP HIGH WRITEUP
Craftcms Craft Cms < 4.16.17 - Remote Code Execution
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
CVSS 8.8
CVE-2025-68456 WRITEUP CRITICAL WRITEUP
Craftcms Craft Cms < 4.16.17 - Information Disclosure
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
CVSS 9.1