{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29113", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.710Z", "datePublished": "2026-03-10T19:44:44.530Z", "dateUpdated": "2026-03-10T20:06:27.216Z"}, "containers": {"cna": {"title": "Craft has a potential information disclosure vulnerability in preview tokens", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v"}, {"name": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 4.0.0-RC1, < 4.17.3", "status": "affected"}, {"version": ">= 5.0.0-RC1, < 5.9.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:44:44.530Z"}, "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim\u2019s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7."}], "source": {"advisory": "GHSA-vg3j-hpm9-8v5v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T20:05:03.344019Z", "id": "CVE-2026-29113", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T20:06:27.216Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29113", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T20:05:03.344019Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T20:06:12.418Z"}}], "cna": {"title": "Craft has a potential information disclosure vulnerability in preview tokens", "source": {"advisory": "GHSA-vg3j-hpm9-8v5v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 4.0.0-RC1, < 4.17.3"}, {"status": "affected", "version": ">= 5.0.0-RC1, < 5.9.6"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc", "name": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim\u2019s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T19:44:44.530Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29113", "state": "PUBLISHED", "dateUpdated": "2026-03-10T20:06:27.216Z", "dateReserved": "2026-03-03T21:54:06.710Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T19:44:44.530Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "D0A1962E-9E8D-470E-9183-EBB0E574F05B", "versionEndExcluding": "4.17.4", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "352DAA49-7360-49C5-8EED-3B6FCF3EC626", "versionEndExcluding": "5.9.7", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim\u2019s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenido (CMS). Antes de 4.17.4 y 5.9.7, Craft CMS tiene un problema de CSRF en el endpoint de token de vista previa en /actions/preview/create-token. El endpoint acepta un previewToken suministrado por el atacante. Debido a que la acci\u00f3n no requiere POST y no impone un token CSRF, un atacante puede forzar a un editor v\u00edctima que ha iniciado sesi\u00f3n a acu\u00f1ar un token de vista previa elegido por el atacante. Ese token puede ser usado entonces por el atacante (sin autenticaci\u00f3n) para acceder a contenido previsualizado/no publicado vinculado al alcance de vista previa autorizado de la v\u00edctima. Esta vulnerabilidad est\u00e1 corregida en 4.17.4 y 5.9.7."}], "id": "CVE-2026-29113", "lastModified": "2026-03-12T15:36:11.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T20:16:38.060", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-RC1,4.17.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.9.6)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-16T03:28:31.464019+00:00", "value": {"mitigation_remediation": ["Upgrade Craft CMS to version 4.17.4 or later, or 5.9.7 or later, depending on your current major release.", "If an upgrade cannot be performed immediately, temporarily disable the /actions/preview/create-token endpoint or add CSRF protection to enforce that the request originates from the same origin.", "Configure the application so that it rejects any client\u2011supplied previewToken values and only generates tokens server-side after verifying the user\u2019s session."], "summary": {"action": "Apply Patches", "impact": "Information Disclosure of Unpublished Content"}, "threat_synthesis": {"affected_systems": "Vendors: Craft CMS; product: Craft CMS; affected versions: any release earlier than 4.17.4 for the 4.x series or earlier than 5.9.7 for the 5.x series.", "description_and_impact": "Craft CMS allows attackers to influence the preview token creation endpoint at /actions/preview/create-token because the action accepts a previewToken from the request and does not enforce CSRF protection. An authenticated editor with valid session cookies can be tricked into hitting this endpoint and will receive a preview token chosen by the attacker. Once the token is obtained, the attacker can use it in subsequent GET requests without authentication to view unpublished or preview content that the victim is authorized to see. This information disclosure exposes content that is not yet public, potentially compromising competitive advantage, privacy, or intellectual property.", "risk_and_exploitability": "The CVSS score of 2.3 indicates low severity, and the EPSS score of less than 1% means exploitation probability is very low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted request that forces a logged\u2011in editor to request a preview token with an attacker\u2011supplied value. No authentication is required to use the token, so the attacker can retrieve previewed or unpublished content belonging to the victim. The risk is mainly informational disclosure rather than denial of service or remote code execution, but exposure of internal content can have business and privacy consequences."}}}}, "created": "2026-03-11T11:43:18.154906+00:00", "updated": "2026-04-16T03:30:06.069541+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}