{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32265", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T15:05:48.397Z", "datePublished": "2026-03-18T03:28:24.443Z", "dateUpdated": "2026-03-18T13:30:56.737Z"}, "containers": {"cna": {"title": "Amazon S3 for Craft CMS has an Information Disclosure vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9"}, {"name": "https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f"}], "affected": [{"vendor": "craftcms", "product": "aws-s3", "versions": [{"version": ">= 2.0.2, < 2.2.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T03:28:24.443Z"}, "descriptions": [{"lang": "en", "value": "The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue."}], "source": {"advisory": "GHSA-hwj7-4vgc-j3v9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T13:30:46.762179Z", "id": "CVE-2026-32265", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T13:30:56.737Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32265", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T13:30:46.762179Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T13:30:51.217Z"}}], "cna": {"title": "Amazon S3 for Craft CMS has an Information Disclosure vulnerability", "source": {"advisory": "GHSA-hwj7-4vgc-j3v9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "craftcms", "product": "aws-s3", "versions": [{"status": "affected", "version": ">= 2.0.2, < 2.2.5"}]}], "references": [{"url": "https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9", "name": "https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f", "name": "https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T03:28:24.443Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32265", "state": "PUBLISHED", "dateUpdated": "2026-03-18T13:30:56.737Z", "dateReserved": "2026-03-11T15:05:48.397Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T03:28:24.443Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue."}, {"lang": "es", "value": "El plugin Amazon S3 para Craft CMS proporciona una integraci\u00f3n de Amazon S3 para Craft CMS. En las versiones 2.0.2 a la 2.2.4, los usuarios no autenticados pueden ver una lista de buckets a los que el plugin tiene acceso. El endpoint 'BucketsController-&gt;actionLoadBucketData()' permite a los usuarios no autenticados con un token CSRF v\u00e1lido ver una lista de buckets que el plugin tiene permitido ver. Los usuarios deben actualizar a la versi\u00f3n 2.2.5 del plugin para mitigar el problema."}], "id": "CVE-2026-32265", "lastModified": "2026-04-16T14:46:24.290", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T04:17:27.337", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.2,2.2.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "aws-s3", "source": "cna", "vendor": "craftcms"}, "product": "aws-s3", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-03-18T05:21:27.279114+00:00", "value": {"mitigation_remediation": ["Update to craftcms/aws-s3 version 2.2.5 or later"], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Users running the Craft CMS amazon-s3 plugin version 2.0.2, 2.1.x, or 2.2.4 are vulnerable. The issue is specific to the aws-s3 plugin for Craft CMS and does not affect other Craft CMS components.", "description_and_impact": "The Amazon S3 for Craft CMS plugin suffered an information disclosure flaw (CWE-200). In affected versions 2.0.2 through 2.2.4, the BucketsController->actionLoadBucketData() endpoint allowed unauthenticated users who possessed a valid CSRF token to retrieve a list of S3 buckets the plugin could access. This could expose the names of storage buckets, potentially aiding attackers in reconnaissance and further exploit attempts.", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity vulnerability. EPSS data is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting limited evidence of exploitation in the wild. The likely attack vector is client\u2011side via a legitimate session that has a CSRF token; an attacker would need to navigate the site or trick a user into generating a token, after which the bucket list can be retrieved without authentication. Although the exposure does not compromise the S3 buckets themselves, it leaks potentially sensitive inventory data and could assist further attacks."}}}}, "created": "2026-03-18T10:41:54.253008+00:00", "updated": "2026-03-24T10:59:23.569490+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$aws-s3"]}