Craft CMS

A missing authorization check in the GraphQL Address element resolver of Craft CMS Pro allows a GraphQL API token scoped to a low-privilege user group to read all addresses in the system, including those belonging to users in groups the token is not authorized to access, exposing personally identifiable information (PII).

Craft CMS versions before 4.17.12 and 5.9.18 are vulnerable to authenticated remote code execution via malicious behavior injection in the field layout hydration path.