Juzaweb Cms

Craft CMS 4.0.0RC1 Path Traversal Local File Read via assets/icon
CVE-2026-56394 6.5 - Medium - June 21, 2026

Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.

Directory traversal

Stored XSS in Craft CMS 4.x/5.x <4.17.0/5.9.0
CVE-2026-56393 4.8 - Medium - June 21, 2026

Craft CMS 4.x (>= 4.0.0-RC1, < 4.17.0-beta.1) and 5.x (>= 5.0.0-RC1, < 5.9.0-beta.1) contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization (e.g., via the checkbox.twig template, which used {{ label|raw }}). An authenticated administrator (with allowAdminChanges enabled) can inject malicious payloads into section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels, causing arbitrary JavaScript to execute in other users' control-panel sessions. Fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

XSS

Craft CMS <=5.9.13 Auth Bypass via assets/preview-file (fixed 5.9.14)
CVE-2026-56385 4.3 - Medium - June 21, 2026

Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. Fixed in 5.9.14 and 4.17.8.

Insecure Direct Object Reference / IDOR

Craft CMS 4.x/5.x XSS in editableTable.twig via Row Heading
CVE-2026-56383 4.8 - Medium - June 21, 2026

Craft CMS contains a stored cross-site scripting (XSS) vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page containing the affected table field. Affected versions are >= 4.5.0-beta.1 through 4.16.18 and >= 5.0.0-RC1 through 5.8.22; fixed in 4.16.19 and 5.8.23.

XSS

Craft CMS previewthumb auth bypass pre 4.17.8/5.9.14
CVE-2026-56384 4.3 - Medium - June 21, 2026

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.

AuthZ

Craft CMS RCE via FieldsController::actionRenderCardPreview (v5.5-5.9.13)
CVE-2026-56382 7.2 - High - June 21, 2026

Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.

Code Injection

Craft CMS 5.0.0-RC1 XSS via Unescaped User Group Names
CVE-2026-56381 4.8 - Medium - June 21, 2026

Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other users view or edit permissions.

XSS

juzaweb CMS 3.4.2 Improper Auth via Add New Themes Page
CVE-2025-6736 8.8 - High - June 27, 2025

A vulnerability classified as critical was found in juzaweb CMS 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/theme/install of the component Add New Themes Page. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AuthZ

Juzaweb CMS 3.4.2 Remote Improper Auth in Import Page
CVE-2025-6735 8.8 - High - June 27, 2025

A vulnerability classified as critical has been found in juzaweb CMS 3.4.2. Affected is an unknown function of the file /admin-cp/imports of the component Import Page. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AuthZ

JuzaWeb CMS <3.4.2: Improper Access Control in Plugins Page (/admin-cp/plugin/install)
CVE-2025-5429 6.3 - Medium - June 02, 2025

A vulnerability classified as critical was found in juzaweb CMS up to 3.4.2. This vulnerability affects unknown code of the file /admin-cp/plugin/install of the component Plugins Page. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authorization

juzaweb CMS <=3.4.2 Permalinks Page Improper Access – Critical Vulnerability
CVE-2025-5427 6.3 - Medium - June 02, 2025

A vulnerability was found in juzaweb CMS up to 3.4.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin-cp/permalinks of the component Permalinks Page. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authorization

Critical Access Control Bypass in Juzaweb CMS 3.4.2 Admin Log Viewer
CVE-2025-5428 6.3 - Medium - June 02, 2025

A vulnerability classified as critical has been found in juzaweb CMS up to 3.4.2. This affects an unknown part of the file /admin-cp/log-viewer of the component Error Logs Page. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authorization

juzaweb CMS 3.4.2 Menu Page Improper ACL (CVE-2025-5426)
CVE-2025-5426 6.3 - Medium - June 02, 2025

A vulnerability was found in juzaweb CMS up to 3.4.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin-cp/menus of the component Menu Page. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authorization

juzaweb CMS 3.4.2 - Theme Editor Implicit Access Control Remote RCE
CVE-2025-5425 6.3 - Medium - June 02, 2025

A vulnerability was found in juzaweb CMS up to 3.4.2. It has been classified as critical. Affected is an unknown function of the file /admin-cp/theme/editor/default of the component Theme Editor Page. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authorization

Juzaweb CMS 3.4.2 Media Page IAC Vulnerability
CVE-2025-5424 6.3 - Medium - June 02, 2025

A vulnerability was found in juzaweb CMS up to 3.4.2 and classified as critical. This issue affects some unknown processing of the file /admin-cp/media of the component Media Page. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authorization

juzaweb CMS <=3.4.2: General Setting Page Improper Access Control
CVE-2025-5423 6.3 - Medium - June 02, 2025

A vulnerability has been found in juzaweb CMS up to 3.4.2 and classified as critical. This vulnerability affects unknown code of the file /admin-cp/setting/system/general of the component General Setting Page. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authorization

juzaweb CMS 3.4.2 Email Logs Page Improper Access Control
CVE-2025-5422 4.3 - Medium - June 02, 2025

A vulnerability, which was classified as problematic, was found in juzaweb CMS up to 3.4.2. This affects an unknown part of the file /admin-cp/logs/email of the component Email Logs Page. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authorization

Critical Bypass in Juzaweb CMS Plugin Editor <=3.4.2 (CVE-2025-5421)
CVE-2025-5421 6.3 - Medium - June 02, 2025

A vulnerability, which was classified as critical, has been found in juzaweb CMS up to 3.4.2. Affected by this issue is some unknown functionality of the file /admin-cp/plugin/editor of the component Plugin Editor Page. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Authorization

JuzaWeb CMS 3.4.x XSS via /admin-cp/file-manager/upload Upload param
CVE-2025-5420 5.4 - Medium - June 02, 2025

A vulnerability classified as problematic was found in juzaweb CMS up to 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/file-manager/upload of the component Profile Page. The manipulation of the argument Upload leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

XSS

juzaweb CMS <=3.4.2 Theme Editor Path Traversal (CVE-2024-7551)
CVE-2024-7551 4.9 - Medium - August 06, 2024

A vulnerability was found in juzaweb CMS up to 3.4.2. It has been classified as problematic. Affected is an unknown function of the file /admin-cp/theme/editor/default of the component Theme Editor. The manipulation leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-273696. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Directory traversal

Juzaweb <=3.4: Incorrect Access Control via Timezone Field
CVE-2023-46906 4.9 - Medium - January 09, 2024

juzaweb <= 3.4 is vulnerable to Incorrect Access Control, resulting in an application outage after a 500 HTTP status code. The payload in the timezone field was not correctly validated.

RCE via crafted file to custom plugin in juzawebCMS 3.4
CVE-2023-46468 7.8 - High - October 28, 2023

An issue in juzawebCMS v.3.4 and before allows a remote attacker to execute arbitrary code via a crafted file to the custom plugin function.

Injection

XSS in juzawebCMS <=3.4 via username param on reg page
CVE-2023-46467 5.4 - Medium - October 28, 2023

Cross Site Scripting vulnerability in juzawebCMS v.3.4 and before allows a remote attacker to execute arbitrary code via a crafted payload to the username parameter of the registration page.

XSS