CVE-2026-32265

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-32265

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32265.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-32265

Aliases

GHSA-hwj7-4vgc-j3v9

Published

2026-03-18T03:28:24.443Z

Modified

2026-04-02T13:24:28.784311Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Amazon S3 for Craft CMS has an Information Disclosure vulnerability

Details

The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The BucketsController->actionLoadBucketData() endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue.

Database specific

{
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32265.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/craftcms/aws-s3

Affected ranges

Type: GIT
Repo: https://github.com/craftcms/aws-s3
Events: Introduced

ccbf520c1e94765ae130e1040083d1c853bdef57

Fixed

d860ecdb7756e5549138a9b5a39ef1ea0f6fef6f

Affected versions

2.*

2.0.2

2.0.3

2.1.0

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32265.json"