brandonkelly

68 exploits Active since May 2021
CVE-2023-33194 WRITEUP LOW WRITEUP
Craft CMS 3.0.0-3.8.5 and 4.0.0-RC1-4.4.5 - Stored Cross-Site Scripting in Quick Post Validation Error Message
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.
CVSS 3.7
CVE-2023-33195 WRITEUP MEDIUM WRITEUP
Craft CMS 4.3.0-4.4.5 - Cross-Site Scripting via Malformed RSS Feed
Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.
CVSS 5.0
CVE-2023-33196 WRITEUP MEDIUM WRITEUP
Craft CMS 4.0.1-4.4.6 - Cross-Site Scripting via Review Volumes
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVSS 5.5
CVE-2023-33197 WRITEUP MEDIUM WRITEUP
Craft CMS < 4.4.6 - Cross-Site Scripting via Update Asset Index Utility
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.
CVSS 5.5
CVE-2024-45406 WRITEUP MEDIUM WRITEUP
Craft CMS 5.0.0-5.1.1 - Stored Cross-Site Scripting in Breadcrumb List and Title Fields
Craft is a content management system (CMS). Craft CMS 5 stored XSS can be triggered by the breadcrumb list and title fields with user input.
CVSS 5.5
CVE-2024-52293 WRITEUP HIGH WRITEUP
Craft CMS 4.0.0-4.12.1 - Remote Code Execution via Twig SSTI
Craft is a content management system (CMS). Prior to 4.12.2 and 5.4.3, Craft is missing normalizePath in the function FileHelper::absolutePath could lead to Remote Code Execution on the server via twig SSTI. This is a sequel to CVE-2023-40035. This vulnerability is fixed in 4.12.2 and 5.4.3.
CVSS 7.2
CVE-2025-23209 WRITEUP HIGH WRITEUP
Craft CMS 4.0.0-4.13.7 and 5.0.0-RC1-5.5.7 - Remote Code Execution via Compromised Security Key
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.
CVSS 8.0
CVE-2025-54417 WRITEUP HIGH WRITEUP
Craft CMS 4.13.8-4.16.2 and 5.5.8-5.8.3 - Remote Code Execution via /updater/restore-db Endpoint
Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.
CVSS 8.8
CVE-2025-57811 WRITEUP HIGH WRITEUP
Craft CMS 4.0.0-RC1-4.16.5 and 5.0.0-RC1-5.8.6 - Remote Code Execution via Twig SSTI
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
CVSS 7.2
CVE-2025-68436 WRITEUP MEDIUM WRITEUP
Craft CMS 4.0.0.1-4.16.16 and 5.0.0-RC1-5.8.20 - Authenticated Sensitive Information Exposure via User Profile Photo
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
CVSS 6.5
CVE-2025-68454 WRITEUP HIGH WRITEUP
Craft CMS 4.0.0.1-4.16.16 and 5.0.0-RC1-5.8.20 - Authenticated Remote Code Execution via Twig SSTI
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
CVSS 8.8
CVE-2025-68456 WRITEUP CRITICAL WRITEUP
Craft CMS 3.0.0-4.16.16 and 5.0.0-RC1-5.8.20 - Unauthenticated Resource Exhaustion via Database Backup Trigger
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
CVSS 9.1
CVE-2026-25492 WRITEUP MEDIUM WRITEUP
Craft CMS 3.5.0-4.16.17 & 5.0.0-RC1-5.8.21 - Server-Side Request Forgery via GraphQL
Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22.
CVSS 6.5
CVE-2026-25493 WRITEUP MEDIUM WRITEUP
Craft CMS saveAsset GraphQL - Redirect-Based Server-Side Request Forgery
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22.
CVSS 6.5
CVE-2026-25494 WRITEUP MEDIUM WRITEUP
Craft CMS saveAsset GraphQL - Alternative IP Server-Side Request Forgery
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.
CVSS 6.5
CVE-2026-25495 WRITEUP HIGH WRITEUP
Craft CMS 4.0.0-4.16.17 and 5.0.0-RC1-5.8.21 - Authenticated SQL Injection via Element Index OrderBy Parameter
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanitize this input before using it in the database query. An attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting viewState[order] (or setting both to the same payload). This issue is patched in versions 4.16.18 and 5.8.22.
CVSS 8.8
CVE-2026-25497 WRITEUP HIGH WRITEUP
Craft CMS GraphQL API - Cross-Volume Asset Privilege Escalation
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
CVSS 8.8
CVE-2026-25498 WRITEUP HIGH WRITEUP
Craft CMS 4.0.0-4.16.17 and 5.0.0-RC1-5.8.21 - Authenticated Remote Code Execution via Behavior Configuration Injection
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.
CVSS 7.2