Build software better, together

Security Advisories

View known security vulnerabilities and report new vulnerabilities privately to maintainers.

Report a vulnerability

Missing Authorization Check on User Group Removal via save-permissions Action
GHSA-jq2f-59pj-p3m3 published Apr 13, 2026 by angrybrad

Moderate
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
GHSA-3m9m-24vh-39wx published Apr 13, 2026 by angrybrad

Moderate
Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions
GHSA-f582-6gf6-gx4g published Mar 24, 2026 by angrybrad

Moderate
Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users
GHSA-vgjg-248p-rfm2 published Mar 24, 2026 by angrybrad

Low
Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
GHSA-44px-qjjc-xrhq published Mar 24, 2026 by angrybrad

Low
Anonymous "generate transform" calls for assets can expose private assets via transform URL
GHSA-5pgf-h923-m958 published Mar 24, 2026 by angrybrad

Moderate
Low-privilege users could read private asset contents when editing an asset (IDOR)
GHSA-3pvf-vxrv-hh9c published Mar 24, 2026 by angrybrad

Moderate
Unauthenticated users could execute project configuration sync operations that should be restricted trusted users
GHSA-6mrr-q3pj-h53w published Mar 24, 2026 by angrybrad

Moderate
Host header injection leads to SSRF via resource-js endpoint
GHSA-95wr-3f2v-v2wh published Apr 13, 2026 by angrybrad

Moderate
Potential authenticated Remote Code Execution via malicious attached Behavior
GHSA-2fph-6v5w-89hh published Mar 24, 2026 by angrybrad

High

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reporting

Security Advisories

Security: craftcms/cms

Security Advisories