CVE-2025-6384

>= 4.0.0 and < 4.3.0

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated develope

9.1CRITICAL

CVE-2025-0502

>= 4.0.0 and < 4.0.8

Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS, x86, Win

9.1CRITICAL

CVE-2023-4136

>= 3.1.0 and <= 3.1.27

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows

7.4HIGH

CVE-2023-33194

all versions

Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Po

3.7LOW

CVE-2023-26020

>= 3.1.0 and <= 3.1.26

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crafter Studio on Linux, Mac

5.7MEDIUM

CVE-2022-40635

>= 3.1.0 and < 3.1.23

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated develop

6.4MEDIUM

CVE-2022-40634

>= 3.1.0 and < 3.1.23

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated develop

6.4MEDIUM

CVE-2021-23267

>= 3.1 and < 3.1.18

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated develop

7.6HIGH

CVE-2021-23266

>= 3.1 and < 3.1.18

An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mi

4.3MEDIUM

CVE-2021-23265

>= 3.1 and < 3.1.18

A logged-in and authenticated user with a Reviewer Role may lock a content item.

3.5LOW

CVE-2021-23264

>= 3.1.0 and < 3.1.15

Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search in

8.1HIGH

CVE-2021-23263

>= 3.1.0 and < 3.1.15

Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/, /templates/ and some of the

5.9MEDIUM

CVE-2021-23262

>= 3.1.0 and < 3.1.13

Authenticated administrators may modify the main YAML configuration file and load a Java class resulting in RCE.

4.2MEDIUM

CVE-2021-23261

>= 3.1.0 and < 3.1.13

Authenticated administrators may override the system configuration file and cause a denial of service.

4.5MEDIUM

CVE-2021-23260

>= 3.1.0 and < 3.1.12

Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other user

6.5MEDIUM

CVE-2021-23259

>= 3.1.0 and < 3.1.12

Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render

4.2MEDIUM

CVE-2021-23258

>= 3.1.0 and < 3.1.12

Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Express

4.2MEDIUM

CVE-2017-15686

>= 3.0.0 and < 3.0.1

Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting (XSS), which allows remote attackers to steal users’ cooki

6.1MEDIUM

CVE-2017-15685

>= 3.0.0 and < 3.0.1

Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity (XXE). An unauthenticated attacker is able to create a site w

8.6HIGH

CVE-2017-15684

>= 3.0.0 and < 3.0.1

Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from

7.5HIGH

CVE-2017-15683

>= 3.0.0 and < 3.0.1

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows th

8.6HIGH

CVE-2017-15682

>= 3.0.0 and < 3.0.1

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/

6.1MEDIUM

CVE-2017-15681

>= 3.0.0 and < 3.0.1

In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerability exists which allows unauthenticated attackers to overwrite

9.8CRITICAL

CVE-2017-15680

>= 3.0 and < 3.0.1

In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify adminis

6.5MEDIUM

CVE-2020-25803

>= 3.0.0 and < 3.0.27

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated develop

4.2MEDIUM

CVE-2020-25802

>= 3.0.0 and < 3.0.27

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated develop

4.2MEDIUM

CVE-2018-19907

<= 3.0.18

A Server-Side Template Injection issue was discovered in Crafter CMS 3.0.18. Attackers with developer privileges may execute OS co

8.8HIGH