craftcms/cms Security Advisories for 4.17.4 (6)
-
[LOW] Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
PKSA-swp1-ty4d-gpzy CVE-2026-33160 GHSA-5pgf-h923-m958
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
PKSA-rxrx-pcy1-2csw CVE-2026-33159 GHSA-6mrr-q3pj-h53w
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
PKSA-548y-fsbg-y9t7 CVE-2026-33158 GHSA-3pvf-vxrv-hh9c
Affected version: >=5.0.0-RC1,<=5.9.13|>=4.0.0-RC1,<=4.17.7
Reported by:
GitHub -
[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
PKSA-s8c8-j6wr-t4ds CVE-2026-32267 GHSA-cc7p-2j3x-x7xf
Affected version: >=5.0.0-RC1,<=5.9.11|>=4.0.0-RC1,<=4.17.5
Reported by:
GitHub -
[HIGH] Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
PKSA-1qxd-z2sm-yssc CVE-2026-32264 GHSA-4484-8v2f-5748
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub -
[MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController
PKSA-y7v4-m2bd-8h2y CVE-2026-32262 GHSA-472v-j2g4-g9h2
Affected version: >=5.0.0-RC1,<=5.9.10|>=4.0.0-RC1,<=4.17.4
Reported by:
GitHub