Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 597a5877ec46 · 2026-03-16T18:15:42.000Z
GHSA-4484-8v2f-5748 GHSA-67cr-jmh8-4jpq GHSA-hwj7-4vgc-j3v9
diff --git a/advisories/github-reviewed/2026/03/GHSA-4484-8v2f-5748/GHSA-4484-8v2f-5748.json b/advisories/github-reviewed/2026/03/GHSA-4484-8v2f-5748/GHSA-4484-8v2f-5748.json
@@ -0,0 +1,94 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4484-8v2f-5748",
+  "modified": "2026-03-16T18:13:15Z",
+  "published": "2026-03-16T18:13:15Z",
+  "aliases": [
+    "CVE-2026-32264"
+  ],
+  "summary": "Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController",
+  "details": "The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 (commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748) only patched `src/services/Fields.php`, but the same vulnerable pattern exists in `ElementIndexesController` and `FieldsController`.\n\nYou need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work.\n\nAn attacker can use the same gadget chain from the original advisory to achieve RCE.\n\nUsers should update to Craft 4.17.5 and 5.9.11 to mitigate the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "craftcms/cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0-RC1"
+            },
+            {
+              "fixed": "4.17.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.17.4"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "craftcms/cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0-RC1"
+            },
+            {
+              "fixed": "5.9.11"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.9.10"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/craftcms/cms"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-470"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T18:13:15Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-67cr-jmh8-4jpq/GHSA-67cr-jmh8-4jpq.json b/advisories/github-reviewed/2026/03/GHSA-67cr-jmh8-4jpq/GHSA-67cr-jmh8-4jpq.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-67cr-jmh8-4jpq",
+  "modified": "2026-03-16T18:14:23Z",
+  "published": "2026-03-16T18:14:23Z",
+  "aliases": [
+    "CVE-2026-32266"
+  ],
+  "summary": "Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability",
+  "details": "Unauthenticated users can view a list of buckets the plugin has access to.\n\nThe `DefaultController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see.\n\nUsers should update to version 2.2.1 of the plugin to mitigate the issue.",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "craftcms/google-cloud"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.0-beta.1"
+            },
+            {
+              "fixed": "2.2.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.2.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/google-cloud/security/advisories/GHSA-67cr-jmh8-4jpq"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/google-cloud/commit/651bacaa5f5fd7813e4075e0747b1d706391fb2c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/craftcms/google-cloud"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T18:14:23Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-hwj7-4vgc-j3v9/GHSA-hwj7-4vgc-j3v9.json b/advisories/github-reviewed/2026/03/GHSA-hwj7-4vgc-j3v9/GHSA-hwj7-4vgc-j3v9.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hwj7-4vgc-j3v9",
+  "modified": "2026-03-16T18:13:33Z",
+  "published": "2026-03-16T18:13:33Z",
+  "aliases": [
+    "CVE-2026-32265"
+  ],
+  "summary": "Amazon S3 for Craft CMS has an Information Disclosure vulnerability",
+  "details": "Unauthenticated users can view a list of buckets the plugin has access to.\n\nThe `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see.\n\nUsers should update to version 2.2.5 of the plugin to mitigate the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "craftcms/aws-s3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.2"
+            },
+            {
+              "fixed": "2.2.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.2.4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/craftcms/aws-s3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T18:13:33Z",
+    "nvd_published_at": null
+  }
+}
