Threat Intelligence Database
Comprehensive database of the latest cyber threats affecting organizations worldwide. Filter and search to find specific threat intelligence relevant to your organization.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threat Intelligence
Click on any threat for detailed analysis and mitigation recommendations
CVE-2026-12257: CWE-94 Improper Control of Generation of Code ('Code Injection') in Mura Software CMSCVE-2026-12257 0 Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution (RCE) vulnerability. The flaw is located in the endpoint “/index.cfm/_api/json/v1/default”, where the “method” parameter in POST requests is not properly validated or sanitised before being processed by the ColdFusion engine. As a result, a remote attacker could exploit this vulnerability to inject and execute arbitrary CFML (ColdFusion Markup Language) expressions and instantiate malicious Java objects, thereby compromising the system’s security. Join the discussion | CVE Database V5 | 07/13/2026, 11:29:59 UTC Added: 07/13/2026, 12:04:03 UTC |
CVE-2026-50281: CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes in craftcms cmsCVE-2026-50281 0 Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and writes the attacker's attributes into the victim's existing entry row. ElementsController::beforeAction() pulls the request body into $this->_attributes and rejects requests that ship an id or canonicalId key at the top level, actionBulkDuplicate(), reads a separate newAttributes array and passes it straight through to the service layer. Elements::duplicateElement() clones the source element, sets id to null, and then hands the attacker's array to Craft::configure(), which overwrites the reset id with any numeric value inside $newAttributes. PHP Yii's saveElement() then performs an UPDATE against the row with that primary key instead of an INSERT. The attackers's title, slug, authorId, postDate, and UID land on the victim's entry. safeAttributes() on Entry includes id because the base element model exposes it, so the Collection::only() filter does not strip it. This issue has been fixed in version 5.9.21. Join the discussion | CVE Database V5 | 07/02/2026, 16:02:14 UTC Added: 07/02/2026, 20:21:57 UTC |
CVE-2026-50282: CWE-862: Missing Authorization in craftcms cmsCVE-2026-50282 0 Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination. This issue has been resolved in versions 5.9.21 and 4.17.14. Join the discussion | CVE Database V5 | 07/02/2026, 16:15:25 UTC Added: 07/02/2026, 18:36:43 UTC |
CVE-2026-55794: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine in craftcms cmsCVE-2026-55794 0 Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries. Strings for a signed redirect URL are being compiled as a Twig template via renderObjectTemplate(), and while a sandboxed alternative already exists (renderSandboxedObjectTemplate()), it is not used in this case. This signed URL can be specified by users, as it is reflected in the “Referer” HTTP request header, which is under attacker control. This issue has been fixed in version 5.10.0. Join the discussion | CVE Database V5 | 07/01/2026, 23:26:22 UTC Added: 07/01/2026, 23:51:36 UTC |
CVE-2026-55791: CWE-918: Server-Side Request Forgery (SSRF) in craftcms cmsCVE-2026-55791 0 Craft CMS is a content management system (CMS). Versions 4.0.0-RC1 and above, prior to 4.18.0 and 5.0.0-RC1, and above, prior to 5.10.0, are vulnerable to Server-Side Request Forgery (SSRF) and Arbitrary JavaScript Injection through the /actions/app/resource-js endpoint. By exploiting the default permissive trustedHosts configuration, an attacker can poison the Host or X-Forwarded-Host header to manipulate the application’s $baseUrl. This bypasses the endpoint’s internal URL validation, forcing the backend Guzzle client to fetch a malicious payload from an attacker-controlled server and reflect it to the client with a Content-Type: application/javascript header. The vulnerability manifests when assetManager.cacheSourcePaths is set to false. This issue has been fixed in versions 4.18.0 and 5.10.0. Join the discussion | CVE Database V5 | 07/01/2026, 23:13:58 UTC Added: 07/01/2026, 23:51:36 UTC |
CVE-2026-50280: CWE-284: Improper Access Control in craftcms cmsCVE-2026-50280 0 Craft CMS versions 5.0.0-RC1 up to but not including 5.9.21 contain an improper access control vulnerability in the EntriesController::actionMoveToSection() endpoint. This flaw allows a low-privileged authenticated user with permission to move entries to relocate an entry into a section where they only have read access, bypassing the intended saveEntries permission check. This breaks the section-level authorization model, potentially disrupting editorial workflows and business logic. The issue is fixed in version 5.9.21. Join the discussion | CVE Database V5 | 07/01/2026, 23:43:49 UTC Added: 07/01/2026, 23:51:36 UTC |
CVE-2026-50279: CWE-285: Improper Authorization in craftcms cmsCVE-2026-50279 0 Craft CMS versions 5.0.0-RC1 up to but not including 5.9.21 contain an improper authorization vulnerability in the EntriesController::actionSaveEntry() method. This flaw allows a low-privileged user who is an existing author of an entry to reassign the entry's authorship to another user without having the required peer-author-change permission. The issue arises because the permission check occurs before the author list is mutated, and no re-authorization is performed after the change. This vulnerability has been fixed in version 5.9.21. Join the discussion | CVE Database V5 | 07/01/2026, 23:31:31 UTC Added: 07/01/2026, 23:51:36 UTC |
CVE-2026-55790: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in craftcms cmsCVE-2026-55790 0 Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.22 and 4.0.0-RC1 through 4.17.15, an attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session. No control panel account or elevated privileges are required on the attacker’s side. This issue has been fixed in versions 4.17.16 and 5.9.23. Join the discussion | CVE Database V5 | 07/01/2026, 22:57:53 UTC Added: 07/01/2026, 23:21:42 UTC |
CVE-2026-50284: CWE-862: Missing Authorization in craftcms cmsCVE-2026-50284 0 Craft CMS versions 4.0.0-RC1 through 4.17.14 and 5.0.0-RC1 through 5.9.21 contain a missing authorization vulnerability in the AssetsController::actionDeleteFolder() method. This flaw allows a low-privilege user with folder-management rights on a shared volume to delete assets uploaded by other users, bypassing intended per-asset permission checks. The issue was fixed in versions 4.17.15 and 5.9.22. Join the discussion | CVE Database V5 | 07/01/2026, 22:37:30 UTC Added: 07/01/2026, 22:51:57 UTC |
CVE-2026-50283: CWE-862: Missing Authorization in craftcms cmsCVE-2026-50283 0 Craft CMS versions 5.0.0-RC1 through 5.9.20 and 4.0.0-RC1 through 4.17.13 contain an authorization vulnerability in the AssetsController::actionReplaceFile function. This flaw allows an authenticated user with file replace permissions on one volume to delete assets in another volume without having delete permissions, by supplying both assetId and sourceAssetId parameters. The issue arises because the permission check is only performed against the target asset, not the source asset being deleted. This can lead to unintended deletion of assets, broken content references, and data loss. The vulnerability has been fixed in versions 4.17.14 and 5.9.21. Join the discussion | CVE Database V5 | 07/01/2026, 22:20:01 UTC Added: 07/01/2026, 22:51:57 UTC |
Showing 1 to 10 of 21 results