6.9
CVE-2026-29069 - Craft has an unauthenticated activation email trigger with potential user enumeration
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pendβ¦
8.6
CVE-2026-28784 - Craft is affected by potential authenticated Remote Code Execution via Twig SSTI
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this toβ¦
9.4
CVE-2026-28783 - Craft has a Twig Function Blocklist Bypass
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either haβ¦
5.3
CVE-2026-28782 - Craft has a Permission Bypass and IDOR in Duplicate Entry Action
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is resβ¦
7.1
CVE-2026-28781 - Craft Affected by Entries Authorship Spoofing via Mass Assignment
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend pβ¦
9.4
CVE-2026-28697 - Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.wriβ¦
8.7
CVE-2026-28696 - Craft affected by IDOR via GraphQL @parseRefs
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access senβ¦
8.7
CVE-2026-3520 - Multer vulnerable to Denial of Service via uncontrolled recursion
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. Noβ¦
7.5
CVE-2026-28695 - Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation β¦
7
CVE-2025-15558 - Docker Desktop Docker Plugins Uncontrolled Search Path Element Local Privilege Escalation Vulnerabiβ¦
Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a viβ¦