Publish Advisories

GHSA-2xfc-g69j-x2mp
GHSA-5fvc-7894-ghp4
GHSA-7x43-mpfg-r9wj
GHSA-94rc-cqvm-m4pw
GHSA-jxm3-pmm2-9gf6
GHSA-qc86-q28f-ggww
GHSA-v47q-jxvr-p68x
GHSA-wj3p-5h3x-c74q

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-2xfc-g69j-x2mp/GHSA-2xfc-g69j-x2mp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2xfc-g69j-x2mp",
-  "modified": "2026-03-03T21:00:51Z",
+  "modified": "2026-03-04T18:39:05Z",
   "published": "2026-03-03T21:00:51Z",
   "aliases": [
     "CVE-2026-28781"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28781"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"
@@ -80,6 +84,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T21:00:51Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-04T17:16:21Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-5fvc-7894-ghp4/GHSA-5fvc-7894-ghp4.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5fvc-7894-ghp4",
-  "modified": "2026-03-03T21:01:27Z",
+  "modified": "2026-03-04T18:39:13Z",
   "published": "2026-03-03T21:01:27Z",
   "aliases": [
     "CVE-2026-28783"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28783"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/pull/18208"
@@ -81,6 +85,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T21:01:27Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-04T17:16:21Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-7x43-mpfg-r9wj/GHSA-7x43-mpfg-r9wj.json

@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7x43-mpfg-r9wj",
-  "modified": "2026-03-03T20:38:55Z",
+  "modified": "2026-03-04T18:38:55Z",
   "published": "2026-03-03T20:38:55Z",
   "aliases": [
     "CVE-2026-28696"
   ],
   "summary": "Craft CMS has IDOR via GraphQL @parseRefs",
   "details": "The GraphQL directive `@parseRefs`, intended to parse internal reference tags (e.g., `{user:1:email}`), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in `Elements::parseRefs` fails to perform authorization checks, allowing attackers to read data they are not authorized to view.\n\n## Vulnerability Details\n\n`craft\\services\\Elements::parseRefs` identifies reference tags and resolves them using `_getRefTokenReplacement`. This method fetches the referenced element and accesses the specified attribute via $element->$attribute.\n\n- Missing Auth Check: It bypasses `canView()` checks.\n- Polymorphic Access: `getElementTypeByRefHandle` allows referencing any element type (entry, asset, user, category).\n- Custom Field Access: Since Craft elements use `__get()` to resolve custom field handles, an attacker is not limited to core attributes. They can exfiltrate any custom field data by enumerating the field handle (e.g. `{entry:123:privateNotes}`).\n\n## Attack Vectors\n\n1. Privilege Escalation / User Data Leak\n\nAn attacker can enumerate sensitive attributes of administrators or other users.\n\n- Payload: `{user:1:email}` or `{user:1:photoId}`\n\n2. Arbitrary Property Reflection & Server-Side Logic Execution\n\nThe vulnerability allows reflecting any accessible property of the underlying Element model.\n\n- Username/Admin Enumeration: `{user:1:username}` (Confirmed: returns admin), {user:1:admin}.\n- Internal Path Disclosure: Accessing methods that trigger errors (e.g., `{user:1:authKey}`) exposes full server stack traces in the GraphQL error response (e.g., Exception: No user session token exists with paths like `/var/www/html/...`).\n\n3. IDOR on Private Entries & Assets (Polymorphism)\n\nThe vulnerability is not limited to Users. Reference tags can target any element type.\n\n- Payload: `{entry:456:myConfidentialField}` (Bypasses canView checks).\n- Asset Path Leakage: `{volume:1:path}` can expose internal file system paths.\n\n4. Unauthenticated Exploitation (Public Schema)\n\nConfirmed locally. The `@parseRefs` directive is active in the Public Schema. By injecting a payload into a public-facing field (e.g., a \"News\" entry title), an unauthenticated guest can trigger the resolution and retrieve the sensitive output.\n\n## Steps to Reproduce\n\n1. Setup (Admin Panel):\n- Create a Section (e.g., \"News\") and an Entry Type.\n- Create a new Entry in that section. Set the Title to the payload: {user:1:username} or {user:1:email}.\n- Go to GraphQL > Schemas > Public Schema. Enable it, and ensure \"Query for elements in the Site\" and \"News\" section queries are checked.\n\n2. Execute Exploit (Unauthenticated):\n- Send a POST request to http://localhost:8000/index.php?action=graphql/api:\n```\ncurl -X POST \\\n-H \"Content-Type: application/json\" \\\n-d '{\"query\": \"{ entries { title @parseRefs } }\"}'\n```\n\n3. Observation:\n- The API returns `{\"data\":{\"entries\":[{\"title\":\"admin\"}]}}` (or the email).\n- Using `{user:1:authKey}` triggers an internal server error that leaks the full server path in string format.\n\n## Impact\n\n- Critical Information Disclosure: Full PII enumeration (emails, usernames).\n- System Information Leakage: Absolute server paths via stack traces.\n- Authentication Bypass: Guest accounts can effectively query the database as the system user.\n\n## Recommended Fix\n\nModify `Elements::parseRefs` to enforce `canView` permissions on the resolved element before extracting attributes.\n\n## References\n\nhttps://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -54,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28696"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9"
@@ -65,11 +74,12 @@
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-639",
       "CWE-862"
     ],
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T20:38:55Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-04T17:16:21Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-94rc-cqvm-m4pw/GHSA-94rc-cqvm-m4pw.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-94rc-cqvm-m4pw",
-  "modified": "2026-03-03T20:30:36Z",
+  "modified": "2026-03-04T18:38:42Z",
   "published": "2026-03-03T20:30:36Z",
   "aliases": [
     "CVE-2026-28695"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28695"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0"
@@ -77,6 +81,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T20:30:36Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-04T17:16:20Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-jxm3-pmm2-9gf6/GHSA-jxm3-pmm2-9gf6.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jxm3-pmm2-9gf6",
-  "modified": "2026-03-03T21:05:12Z",
+  "modified": "2026-03-04T18:39:08Z",
   "published": "2026-03-03T21:05:12Z",
   "aliases": [
     "CVE-2026-28782"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28782"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d"
@@ -75,6 +79,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T21:05:12Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-04T17:16:21Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-qc86-q28f-ggww/GHSA-qc86-q28f-ggww.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qc86-q28f-ggww",
-  "modified": "2026-03-03T21:06:41Z",
+  "modified": "2026-03-04T18:39:16Z",
   "published": "2026-03-03T21:06:41Z",
   "aliases": [
     "CVE-2026-28784"
@@ -59,10 +59,18 @@
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28784"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/pull/18208"
     },
+    {
+      "type": "WEB",
+      "url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/craftcms/cms"
@@ -75,6 +83,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T21:06:41Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-04T17:16:21Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-v47q-jxvr-p68x/GHSA-v47q-jxvr-p68x.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v47q-jxvr-p68x",
-  "modified": "2026-03-03T21:00:16Z",
+  "modified": "2026-03-04T18:39:01Z",
   "published": "2026-03-03T21:00:16Z",
   "aliases": [
     "CVE-2026-28697"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28697"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/pull/18216"
@@ -83,6 +87,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T21:00:16Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-04T17:16:21Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-wj3p-5h3x-c74q/GHSA-wj3p-5h3x-c74q.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wj3p-5h3x-c74q",
-  "modified": "2026-03-03T16:44:18Z",
+  "modified": "2026-03-04T18:38:37Z",
   "published": "2026-03-03T16:44:18Z",
   "aliases": [
     "CVE-2025-62879"
@@ -97,6 +97,14 @@
       "type": "WEB",
       "url": "https://github.com/rancher/backup-restore-operator/security/advisories/GHSA-wj3p-5h3x-c74q"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62879"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-62879"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/rancher/backup-restore-operator"
@@ -109,6 +117,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T16:44:18Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-04T16:16:25Z"
   }
 }