Security: craftcms/cms
Security Advisories
View information about security vulnerabilities from this repository's maintainers.
-
DOM XSS via GitHub issue title in CraftSupport widgetGHSA-24x4-j6x9-rfw5 published
Jun 16, 2026 by angrybradHigh -
Stored XSS via Structure entry title in table viewGHSA-xrqc-p465-2xvg published
Jun 16, 2026 by angrybradModerate -
Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assetsGHSA-7h62-6v23-v8fm published
May 29, 2026 by angrybradModerate -
Unauthorized Deletion of Source Assets During File ReplacementGHSA-qh45-9g5p-m2v4 published
May 29, 2026 by angrybradModerate -
Unauthorized Deletion of Destination Folders During Forced MovesGHSA-3w32-23wj-rxg3 published
May 29, 2026 by angrybradModerate -
Mass assignment via id in newAttributes during bulk duplicate overwrites existing elementsGHSA-x5m4-g2cq-52pq published
May 29, 2026 by angrybradHigh -
Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJsGHSA-c55v-343g-5xff published
Jun 16, 2026 by angrybradModerate -
Sensitive File Disclosure / Server-Side File ReadGHSA-287w-mxq6-x2cp published
Jun 16, 2026 by angrybradModerate -
Authorization bypass in `entries/move-to-section` via missing target-section save checkGHSA-43cq-c2gq-pfpw published
May 29, 2026 by angrybradModerate -
Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gapGHSA-qq2c-2q8j-jh27 published
May 29, 2026 by angrybradModerate