CMS

craftcms/cms

Build bespoke content experiences with Craft.

#cms#craftcms#yii2#php#twig#php7#content-management#craft3#php8#graphql#craft4

スコア

/ 100

Star

3,569

Fork

692

Open Issue

465

サイズ

980MB

言語

PHP ★

最終push

0 日前

Docker

—

採点内訳

過去CVE 19件 (やや多い)

✓

直近 push: 0 日前

✓

得意言語 (PHP)

✓

オープンissue 465件

✓

超大規模 (1.0GB)

—

Docker 未対応

—

1k–10k: 初心者ベスト (★3,569)

✓

※ 各項目の重みは「採点ルール」を参照。合計は 0 で底打ち。

過去の SecurityAdvisory (20 件)

MEDIUMGHSA-qrgm-p9w5-rrfw CVE-2026-440112026/4/27
Potential authenticated Remote Code Execution via malicious attached Behavior
MEDIUMGHSA-gj2p-p9m4-c8gw CVE-2026-440102026/4/27
Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
MEDIUMGHSA-33m5-hqp9-97pw CVE-2026-440122026/4/27
Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
MEDIUMGHSA-95wr-3f2v-v2wh CVE-2026-411302026/4/13
Host header injection leads to SSRF via resource-js endpoint
MEDIUMGHSA-3m9m-24vh-39wx CVE-2026-411292026/4/13
Server-Side Request Forgery (SSRF) in Craft CMS with Asset Uploads Mutations
MEDIUMGHSA-jq2f-59pj-p3m3 CVE-2026-411282026/4/13
Missing Authorization Check on User Group Removal via save-permissions Action
MEDIUMGHSA-f582-6gf6-gx4g CVE-2026-331622026/3/24
Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions
HIGHGHSA-2fph-6v5w-89hh CVE-2026-331572026/3/24
Potential authenticated Remote Code Execution via malicious attached Behavior
LOWGHSA-44px-qjjc-xrhq2026/3/24
Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
LOWGHSA-vgjg-248p-rfm2 CVE-2026-331612026/3/24
Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users
MEDIUMGHSA-5pgf-h923-m958 CVE-2026-331602026/3/24
Anonymous "generate transform" calls for assets can expose private assets via transform URL
MEDIUMGHSA-3pvf-vxrv-hh9c CVE-2026-331582026/3/24
Low-privilege users could read private asset contents when editing an asset (IDOR)
MEDIUMGHSA-6mrr-q3pj-h53w CVE-2026-331592026/3/24
Unauthenticated users could execute project configuration sync operations that should be restricted trusted users
HIGHGHSA-cc7p-2j3x-x7xf CVE-2026-322672026/3/16
Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
MEDIUMGHSA-4484-8v2f-5748 CVE-2026-322642026/3/16
Incomplete fix for GHSA-7jx7-3846-m7w7: Behavior injection RCE ElementIndexesController and FieldsController
MEDIUMGHSA-qx2q-q59v-wf3j CVE-2026-322632026/3/16
Incomplete fix for GHSA-7jx7-3846-m7w7: Behavior injection RCE via EntryTypesController
LOWGHSA-472v-j2g4-g9h2 CVE-2026-322622026/3/16
Path Traversal in AssetsController
MEDIUMGHSA-3x4w-mxpf-fhqq CVE-2026-330512026/3/16
Stored XSS in Revision Context Menu
HIGHGHSA-g7j6-fmwx-7vp8 CVE-2026-318582026/3/9
ElementSearchController Blind SQL Injection (Bypass of GHSA-2453-mppf-46cj)
HIGHGHSA-fp5j-j7j4-mcxc CVE-2026-318572026/3/9
RCE vulnerability via relational conditionals in the control panel