Cross-Site Scripting vulnerability due to improper sanitization of plugin settings. Allows high-privilege users to inject malicious scripts even when unfiltered_html is disabled. Affects versions before 1.0.4.

Authenticated Remote Code Execution vulnerability in PluXml CMS version 5.8.22. Allows administrators to inject malicious PHP webshells into theme files such as home.php via improper neutralization of special elements.

Authenticated RCE through Twig Server-Side Template Injection (SSTI) in Craft CMS. Exploitable via the Twig map filter in text fields under Settings or through the System Messages utility. Requires admin access and allowAdminChanges enabled.

Remote Code Execution vulnerability in Craft CMS via the assembleLayoutFromPost() function in Fields.php. Fails to sanitize user-supplied configuration data before passing to Craft::createObject(), allowing authenticated administrators to inject malicious Yii2 behavior configurations for arbitrary command execution.

Server-Side Request Forgery protection bypass in Craft CMS GraphQL Asset mutation. The SSRF validation uses gethostbyname() which only resolves IPv4. Hostnames with only AAAA (IPv6) records return the hostname itself, bypassing the blocklist completely.

Time-of-Check-Time-of-Use (TOCTOU) vulnerability enabling DNS rebinding attacks. Allows attackers to bypass SSRF protections by returning different IP addresses during validation vs actual request. Bypasses CVE-2025-68437 fix, granting access to all blocked IPs.

Unauthenticated users can access the actionSendActivationEmail() endpoint without permission checks for pending users. Attackers can trigger activation emails for any pending user account by knowing/guessing a user ID, potentially leading to unauthorized account activation.

Remote Code Execution vulnerability via the Twig map filter in text fields accepting Twig input. Exploitable through Settings in Craft control panel or the System Messages utility. Requires admin access with allowAdminChanges enabled, or non-admin access to System Messages.

Insecure Direct Object Reference (IDOR) vulnerability in Craft Commerce's cart functionality. Allows users to hijack any shopping cart by knowing or guessing its 32-character number, enabling takeover of shopping sessions and potential PII exposure. No ownership validation is performed - the CartController only checks if the order exists and is incomplete.