๐จ CVE-2026-56381
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
๐@cveNotify
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.
๐@cveNotify
GitHub
Stored XSS via User Group Name in User Permissions Page
## Summary
A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute ...
A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute ...
๐จ CVE-2026-56382
Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.
๐@cveNotify
Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.
๐@cveNotify
GitHub
RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview
The `actionRenderCardPreview()` method in `FieldsController` passes the `fieldLayoutConfig` POST parameter directly to `Fields::createLayout()` without calling `Component::cleanseConfig()`. This al...
๐จ CVE-2026-56383
Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23.
๐@cveNotify
Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23.
๐@cveNotify
GitHub
Encode from _getInputHtml() ยท craftcms/cms@7b372de
Build bespoke content experiences with Craft. Contribute to craftcms/cms development by creating an account on GitHub.
๐จ CVE-2026-56384
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.
๐@cveNotify
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.
๐@cveNotify
GitHub
Fixed GHSA-5pgf-h923-m958 ยท craftcms/cms@d30df31
Build bespoke content experiences with Craft. Contribute to craftcms/cms development by creating an account on GitHub.
๐จ CVE-2026-56393
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
๐@cveNotify
Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
๐@cveNotify
GitHub
Merge commit from fork ยท craftcms/cms@67780a7
Advisory fix 1
๐จ CVE-2026-56394
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
๐@cveNotify
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
๐@cveNotify
GitHub
Fixed GHSA-472v-j2g4-g9h2 ยท craftcms/cms@30f5f1a
Build bespoke content experiences with Craft. Contribute to craftcms/cms development by creating an account on GitHub.
๐จ CVE-2026-56395
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
๐@cveNotify
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
๐@cveNotify
GitHub
Remote Code Execution via Malicious Bazaar Package โ Marketplace XSS
# Remote Code Execution via Malicious Bazaar Package โ Marketplace XSS
## Summary
SiYuan's Bazaar (community marketplace) renders plugin/theme/template metadata and README content without...
## Summary
SiYuan's Bazaar (community marketplace) renders plugin/theme/template metadata and README content without...
๐จ CVE-2026-56396
phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights to escalate to SuperAdmin access.
๐@cveNotify
phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edit_user permission can set is_superadmin flag or grant arbitrary rights to escalate to SuperAdmin access.
๐@cveNotify
GitHub
phpMyFAQ 4.1.3: incomplete fix for GHSA-xvp4-phqj-cjr3 โ editUser() and updateUserRights() lack authorization guards
## Advisory / Disclosure
# phpMyFAQ 4.1.3 โ incomplete fix for the admin-API IDOR/privilege-escalation class
**Target:** thorsten/phpMyFAQ (composer: `thorsten/phpmyfaq`, `phpmyfaq/phpmyfaq`)...
# phpMyFAQ 4.1.3 โ incomplete fix for the admin-API IDOR/privilege-escalation class
**Target:** thorsten/phpMyFAQ (composer: `thorsten/phpmyfaq`, `phpmyfaq/phpmyfaq`)...
๐จ CVE-2026-56397
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
๐@cveNotify
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package displayName, description, or README fields, exploiting Electron's nodeIntegration setting to execute OS commands.
๐@cveNotify
GitHub
Remote Code Execution via Malicious Bazaar Package โ Marketplace XSS
# Remote Code Execution via Malicious Bazaar Package โ Marketplace XSS
## Summary
SiYuan's Bazaar (community marketplace) renders plugin/theme/template metadata and README content without...
## Summary
SiYuan's Bazaar (community marketplace) renders plugin/theme/template metadata and README content without...
๐จ CVE-2026-56406
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
๐@cveNotify
libexpat before 2.8.2 has an integer overflow in XML_ParseBuffer because it lacked a check that was present in XML_Parse.
๐@cveNotify
GitHub
lib: Copy overflow check from `XML_Parse` to `XML_ParseBuffer` by hartwork ยท Pull Request #1255 ยท libexpat/libexpat
CC @Phlegmelm @Smattr
๐จ CVE-2026-56407
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
๐@cveNotify
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen.
๐@cveNotify
GitHub
Cap entity textLen against signed integer overflow by netliomax25-code ยท Pull Request #1262 ยท libexpat/libexpat
Hit this while fuzzing internal entity declarations. storeEntityValue stashes
the replacement text length with (int)poolLength(...), but the entity value
pool can grow past INT_MAX, so a huge &...
the replacement text length with (int)poolLength(...), but the entity value
pool can grow past INT_MAX, so a huge &...
๐จ CVE-2026-56409
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
๐@cveNotify
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used.
๐@cveNotify
GitHub
xmlwf: Protect output path join from integer overflow by netliomax25-code ยท Pull Request #1259 ยท libexpat/libexpat
Noticed the -d outputDir branch in main() sizes the output filename with (tcslen(outputDir) + tcslen(file) + 2) * sizeof(XML_Char) and then tcscpy/tcscat the parts in, with neither the addition nor...
๐จ CVE-2026-56410
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
๐@cveNotify
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId.
๐@cveNotify
GitHub
xmlwf: protect resolveSystemId from integer overflow by netliomax25-code ยท Pull Request #1252 ยท libexpat/libexpat
resolveSystemId builds an absolute path by allocating (tcslen(base) + tcslen(systemId) + 2) * sizeof(XML_Char), then copies base and systemId in. systemId comes from an external entity SYSTEM ident...
๐จ CVE-2026-56411
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
๐@cveNotify
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
๐@cveNotify
GitHub
xmlwf: protect notation list allocation from integer overflow by netliomax25-code ยท Pull Request #1263 ยท libexpat/libexpat
endDoctypeDecl() counts NOTATION declarations from the DTD into a plain int and then mallocs notationCount * sizeof(NotationList *) with no overflow guard, so on 32-bit the multiply can wrap and un...
๐จ CVE-2026-56412
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
๐@cveNotify
libexpat before 2.8.2 does not consider XML_TOK_DATA_CHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219.
๐@cveNotify
GitHub
[CVE-REQUESTED] lib: Guard `XML_TOK_DATA_CHARS` handler calls in `doCdataSection` by hextheshadow ยท Pull Request #1278 ยท libexpat/libexpat
Self-Diagnosis
This pull request fixes #ISSUE_NUMBER.
This pull request is related to [CVE-2026-50219] Introduce handler call depth tracking #1246.
This pull request is small, uncontroversial,...
This pull request fixes #ISSUE_NUMBER.
This pull request is related to [CVE-2026-50219] Introduce handler call depth tracking #1246.
This pull request is small, uncontroversial,...
๐จ CVE-2026-12804
A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm of the component SAML Common Domain Cookie Endpoint. Performing a manipulation of the argument url results in open redirect. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm of the component SAML Common Domain Cookie Endpoint. Performing a manipulation of the argument url results in open redirect. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Vulnerability Database
CVE-2026-12804 in lemonldap-ng
A vulnerability was detected in lemonldap-ng up to 2.23.0. This vulnerability is reported as CVE-2026-12804.
๐จ CVE-2026-12805
A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
๐@cveNotify
A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
๐@cveNotify