128 CVEs

4 in CISA KEV

craftcms Vulnerabilities

CVE security advisories and vulnerability history for craftcms.

128

Total CVEs

Published

4

In CISA KEV

Exploited in the wild

49

Public exploits

With known exploit

6.5

Avg CVSS

2017–2026

Overview

craftcms has 128 published CVE records since 2017, of which 4 are in CISA's Known Exploited Vulnerabilities catalog and 49 have a known public exploit. The average CVSS base score across scored CVEs is 6.5.

This page aggregates every publicly disclosed vulnerability (CVE) affecting craftcms products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of craftcms's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical7

High35

Medium51

Low9

26 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

4

4 of craftcms's CVEs are confirmed exploited in the wild.

Public exploits

49

49 of craftcms's CVEs have a known public exploit available.

Most affected products

The craftcms products with the most published CVEs.

cms102 CVEs
craftcms/cms98 CVEs
craft cms97 CVEs
commerce20 CVEs
craftcms/commerce19 CVEs
craft commerce17 CVEs
craft_cms6 CVEs
CraftCMS1 CVEs

Common weakness types

The CWE weakness categories most often found in craftcms CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish craftcms CVE records.

Disclosure activity by year

How many craftcms CVEs were published each year.

2019

5

2020

1

2021

5

2022

8

2023

14

2024

10

2025

6

2026

71

Latest craftcms CVEs

The most recently disclosed vulnerabilities affecting craftcms.

Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior
CWE-479
High · CVSS 8.6
EPSS 0.0%2026-05-12
Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
CWE-862
High · CVSS 7.1
EPSS 0.0%2026-05-12
Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
CWE-862
High · CVSS 7.1
EPSS 0.0%2026-05-12
Craft CMS has a host header injection leading to SSRF via resource-js endpoint
CWE-918
Medium · CVSS 5.5
EPSS 0.1%2026-04-21
Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations
CWE-918
Medium · CVSS 5.5
EPSS 0.0%2026-04-21
Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action
CWE-862
Medium · CVSS 5.3
EPSS 0.0%2026-04-21
Craft Commerce: Blind SQL Injection via hasVariant/hasProduct
CWE-89
High · CVSS 8.7
EPSS 0.0%2026-04-13
Craft Commerce: SQL Injection can lead to Remote Code Execution via TotalRevenue Widget
CWE-89
High · CVSS 7.7
EPSS 0.1%2026-04-13
Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments
CWE-200
Low · CVSS 1.7
EPSS 0.1%2026-04-13
Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions
CWE-285
Medium · CVSS 4.9
EPSS 0.0%2026-03-24
Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users
CWE-862
Low · CVSS 1.3
EPSS 0.0%2026-03-24
Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL
CWE-639
Low · CVSS 2.7
EPSS 0.0%2026-03-24

Track new craftcms CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor craftcms CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

microsoft24,097 CVEs Linux19,131 CVEs google14,281 CVEs apple14,019 CVEs oracle10,440 CVEs debian10,201 CVEs IBM8,265 CVEs Adobe7,222 CVEs

Browse all vendors

Frequently asked questions

Common questions about craftcms vulnerabilities.

How many CVEs does craftcms have?

craftcms has 128 published CVE records since 2017, including 77 in the last two years.

How many craftcms CVEs are in CISA KEV?

Yes — 4 of craftcms's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which craftcms products have the most CVEs?

The craftcms products with the most published CVEs are cms, craftcms/cms, craft cms, commerce, craftcms/commerce.

What are the most common weakness types in craftcms CVEs?

craftcms's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-94 (Improper Control of Generation of Code ('Code Injection')), CWE-639 (Authorization Bypass Through User-Controlled Key), CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')).

Are there public exploits for craftcms vulnerabilities?

Yes — 49 of craftcms's CVEs have a known public exploit.

How many critical craftcms vulnerabilities are there?

craftcms has 7 critical and 35 high-severity CVEs.

What is the average severity of craftcms CVEs?

The average CVSS base score across craftcms's scored CVEs is 6.5.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track craftcms vulnerabilities

Monitor new craftcms vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing