SB20260417106 - Multiple vulnerabilities in Craft CMS
Published: April 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-27128)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to a time-of-check time-of-use (TOCTOU) race condition in the token validation service when handling concurrent requests for limited-usage impersonation tokens. A remote user can send concurrent requests using a valid impersonation URL to escalate privileges.
Exploitation requires obtaining a non-expired impersonation URL via some other means and bypassing any rate-limiting rules in place.
2) Cross-site scripting (CVE-ID: CVE-2026-27126)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser.
The vulnerability exists due to cross-site scripting in editableTable.twig when rendering table fields with the html column type. A remote user can modify a field configuration to include a malicious payload to execute arbitrary JavaScript in another user's browser.
Exploitation requires an administrator account, allowAdminChanges to be enabled in production, and another user to view a page containing the malicious table field.
3) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.
The vulnerability exists due to cross-site scripting in editableTable.twig when rendering row heading values in a table field. A remote user can inject a malicious row heading value to execute arbitrary JavaScript in a victim's browser.
Exploitation requires an administrator account and the allowAdminChanges setting to be enabled in production.
4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-27129)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper SSRF protection in GraphQL Asset mutation URL validation when resolving hostnames that have only AAAA records. A remote user can send a specially crafted GraphQL asset mutation with a URL that resolves only to an IPv6 address to disclose sensitive information.
Exploitation requires GraphQL schema permissions to create and edit assets, or a public GraphQL schema that is misconfigured with write permissions.
5) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-27127)
CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass SSRF protections and disclose sensitive information.
The vulnerability exists due to time-of-check time-of-use (TOCTOU) race condition in the GraphQL Asset mutation resolver when validating a hostname separately from the subsequent HTTP request. A remote user can supply a URL that uses DNS rebinding to bypass SSRF protections and disclose sensitive information.
Exploitation requires GraphQL schema permissions to create or edit assets, or a public schema that is misconfigured with write permissions.
Remediation
Install update from vendor's website.
References
- https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897
- https://github.com/advisories/GHSA-6fx5-5cw5-4897
- https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
- https://github.com/advisories/GHSA-3jh3-prx3-w6wc
- https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp
- https://github.com/advisories/GHSA-6j87-m5qx-9fqp
- https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9
- https://github.com/advisories/GHSA-v2gc-rm6g-wrw9
- https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx
- https://github.com/advisories/GHSA-gp2f-7wcm-5fhx