CVE-2026-29113 in Craftthông tin

Tóm tắt

Bởi MITRE • 10/03/2026

Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

chịu trách nhiệm

GitHub M

Đặt trước

03/03/2026

Tiết lộ

10/03/2026

Kiểm duyệt

được chấp nhận

mục

VDB-350214

CPE

sẵn sàng

CWE

CWE-352 (Đã xác nhận)

CVSS

4.3 (NVD)

EPSS

0.00008

KEV

không

Các hoạt động

rất thấp

ngành

Lawfirm, Agriculture, ...

Nguồn

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-29113
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-29113
CVE Details	https://www.cvedetails.com/cve/CVE-2026-29113/

◂ Trước Tổng Quan Tiếp theo ▸

Interested in the pricing of exploits?

See the underground prices here!