Craftcms

A pre-authenticated server-side template injection vulnerability (CVE-2026-45697) exists in the Hidden fields of the Formie Craft plugin, allowing unauthenticated users to submit crafted values that are evaluated as Twig during submission handling, potentially leading to site compromise.

Craft CMS versions 5.0.0-RC1 before 5.9.18 are vulnerable to information disclosure where an authenticated control panel user with only accessCp permission can discover filenames and the complete folder structure of assets in unauthorized volumes by supplying arbitrary asset IDs to AssetsController::actionShowInFolder(), exposing sensitive volume structures and enabling targeted follow-up attacks.

A missing authorization check in the GraphQL Address element resolver of Craft CMS Pro allows a GraphQL API token scoped to a low-privilege user group to read all addresses in the system, including those belonging to users in groups the token is not authorized to access, exposing personally identifiable information (PII).

A remote code execution vulnerability exists in Craft CMS versions 5.6.0 through 5.9.12, where any authenticated user with control panel access can exploit the vulnerability by injecting malicious behavior via the `fieldLayouts` parameter in `ElementIndexesController::actionFilterHud()` due to the unsanitized parameter being passed to `FieldLayout::createFromConfig()`.