craftcms/cms Security Advisories for 4.17.11 (3)
-
[CRITICAL] Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
PKSA-5xds-5mf3-ckxn CVE-2026-55791 GHSA-c55v-343g-5xff
Affected version: >=4.0.0-RC1,<4.18|>=5.0.0-RC1,<5.10
Reported by:
GitHub -
[HIGH] Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
PKSA-7b21-z11x-97gc CVE-2026-44011 GHSA-qrgm-p9w5-rrfw
Affected version: >=5.0.0,<5.9.18|>=4.0.0,<4.17.12
Reported by:
GitHub -
[HIGH] Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
PKSA-sxz1-z4jg-2vhh CVE-2026-44010 GHSA-gj2p-p9m4-c8gw
Affected version: >=4.0.0,<4.17.12|>=5.0.0,<5.9.18
Reported by:
GitHub