craftcms/cms Security Advisories for 4.17.8 (4)
-
[HIGH] Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
PKSA-7b21-z11x-97gc CVE-2026-44011 GHSA-qrgm-p9w5-rrfw
Affected version: >=5.0.0,<5.9.18|>=4.0.0,<4.17.12
Reported by:
GitHub -
[HIGH] Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
PKSA-sxz1-z4jg-2vhh CVE-2026-44010 GHSA-gj2p-p9m4-c8gw
Affected version: >=4.0.0,<4.17.12|>=5.0.0,<5.9.18
Reported by:
GitHub -
[MEDIUM] Craft CMS has a host header injection leading to SSRF via resource-js endpoint
PKSA-ntd3-69q5-4cfy CVE-2026-41130 GHSA-95wr-3f2v-v2wh
Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14
Reported by:
GitHub -
[MEDIUM] Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
PKSA-wb3t-ts8t-d4cj CVE-2026-41129 GHSA-3m9m-24vh-39wx
Affected version: >=4.0.0-RC1,<=4.17.8|>=5.0.0-RC1,<=5.9.14
Reported by:
GitHub