SB20260417106 - Multiple vulnerabilities in Craft CMS

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-27128)

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to a time-of-check time-of-use (TOCTOU) race condition in the token validation service when handling concurrent requests for limited-usage impersonation tokens. A remote user can send concurrent requests using a valid impersonation URL to escalate privileges.

Exploitation requires obtaining a non-expired impersonation URL via some other means and bypassing any rate-limiting rules in place.

2) Cross-site scripting (CVE-ID: CVE-2026-27126)

The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser.

The vulnerability exists due to cross-site scripting in editableTable.twig when rendering table fields with the html column type. A remote user can modify a field configuration to include a malicious payload to execute arbitrary JavaScript in another user's browser.

Exploitation requires an administrator account, allowAdminChanges to be enabled in production, and another user to view a page containing the malicious table field.

3) Cross-site scripting (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.

The vulnerability exists due to cross-site scripting in editableTable.twig when rendering row heading values in a table field. A remote user can inject a malicious row heading value to execute arbitrary JavaScript in a victim's browser.

Exploitation requires an administrator account and the allowAdminChanges setting to be enabled in production.

4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-27129)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper SSRF protection in GraphQL Asset mutation URL validation when resolving hostnames that have only AAAA records. A remote user can send a specially crafted GraphQL asset mutation with a URL that resolves only to an IPv6 address to disclose sensitive information.

Exploitation requires GraphQL schema permissions to create and edit assets, or a public GraphQL schema that is misconfigured with write permissions.

5) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-27127)

The vulnerability allows a remote user to bypass SSRF protections and disclose sensitive information.

The vulnerability exists due to time-of-check time-of-use (TOCTOU) race condition in the GraphQL Asset mutation resolver when validating a hostname separately from the subsequent HTTP request. A remote user can supply a URL that uses DNS rebinding to bypass SSRF protections and disclose sensitive information.

Exploitation requires GraphQL schema permissions to create or edit assets, or a public schema that is misconfigured with write permissions.

Remediation

Install update from vendor's website.

References

• https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897
• https://github.com/advisories/GHSA-6fx5-5cw5-4897
• https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc
• https://github.com/advisories/GHSA-3jh3-prx3-w6wc
• https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp
• https://github.com/advisories/GHSA-6j87-m5qx-9fqp
• https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9
• https://github.com/advisories/GHSA-v2gc-rm6g-wrw9
• https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx
• https://github.com/advisories/GHSA-gp2f-7wcm-5fhx