These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-56394 is a HIGH-severity vulnerability in Craft CMS, a content management system. An authenticated path traversal vulnerability exists in the assets/icon endpoint, where the extension parameter is not validated before file existence checks. This allows attackers to bypass extension validation by passing traversal sequences that resolve to existing SVG files, potentially leading to local file read [truncated]
CVE-2026-56393 is a medium-severity vulnerability affecting Craft CMS versions 4.x and 5.x. An authenticated administrator can inject malicious payloads into various settings, leading to arbitrary JavaScript execution in other users' control-panel sessions. The vulnerability is fixed in Craft CMS 4.17.0-beta.1 and 5.9.0-beta.1. Defenders should prioritize patching due to the potential for code execution.
CVE-2026-56385 is a medium-severity authorization bypass vulnerability in Craft CMS. The vulnerability affects Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7. An authenticated low-privileged user can exploit this vulnerability to view private assets by supplying a controlled assetId. The vulnerability has been fixed in Craft CMS versions 5.9.14 and 4.17.8. Defenders should prioriti [truncated]
CVE-2026-56384 is a missing authorization vulnerability in Craft CMS, affecting versions 4.0.0-RC1 to 4.17.7 and 5.0.0-RC1 to 5.9.13. This vulnerability allows a Control Panel user without permission to view a target private asset to call the assets/preview-thumb endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset [truncated]
CVE-2026-56383 is a stored cross-site scripting (XSS) vulnerability in Craft CMS, specifically in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account (with allowAdminChanges enabled) to inject arbitrary JavaScript that executes when another user views a page [truncated]
CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions >= 5.5.0 and <= 5.9.13. The vulnerability exists in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without proper sanitization. An authenticated admin user can inject Yii2 event handlers to execute arbitrary PHP code and d [truncated]
CVE-2026-56381 is a stored cross-site scripting (XSS) vulnerability in Craft CMS, affecting versions 5.0.0-RC1 and later. The vulnerability exists in the User Permissions page, where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field, which executes when other users view or edit permissions. The CVSS score f [truncated]