GHSA-vg3j-hpm9-8v5v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vg3j-hpm9-8v5v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vg3j-hpm9-8v5v/GHSA-vg3j-hpm9-8v5v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vg3j-hpm9-8v5v
- Aliases
- Published
- 2026-03-10T18:22:02Z
- Modified
- 2026-03-13T04:22:14.813486Z
- Severity
-
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- Craft CMS has a potential information disclosure vulnerability in preview tokens
- Details
-
Summary
Craft CMS has a CSRF issue in the preview token endpoint at
/actions/preview/create-token. The endpoint accepts an attacker-suppliedpreviewToken.Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker.
That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope.
Preconditions
- Victim is logged in to Craft control panel.
- Victim has active preview authorization in session for target content (e.g., opened/edited an entry).
- The attacker must know the target’s
canonicalIdand public URL path of that entry.
1) Attacker prepares a fixed token
Use any 32-character value, for example:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa2) CSRF victim into minting that token
Send the victim a link (or top-level redirect) such as:
https://TARGET/actions/preview/create-token?elementType=craft%5Celements%5CEntry&canonicalId=123&siteId=1&previewToken=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&redirect=https%3A%2F%2FTARGET%2FIf the victim is logged in and authorized for
previewElement:123, Craft creates that exact token.3) Attacker accesses preview content unauthenticated
curl -i 'https://TARGET/news/known-entry-slug?token=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'Expected vulnerable behavior:
- Response renders preview/unpublished state (draft/provisional context), not just normal public content.
Impact
- CSRF-based minting of attacker-known preview tokens.
- Unauthorized access to draft/provisional/revision content via token replay.
- Stealthy one-click exploitation against logged-in editors/admins.
- No dependency on forwarded-host poisoning.
- Database specific
{ "cwe_ids": [ "CWE-287", "CWE-352" ], "github_reviewed_at": "2026-03-10T18:22:02Z", "nvd_published_at": "2026-03-10T20:16:38Z", "severity": "LOW", "github_reviewed": true }- References
Affected packages
Packagist / craftcms/cms
Package
- Name
- craftcms/cms
- Purl
- pkg:composer/craftcms/cms
Affected versions
4.*
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0
4.0.0.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5.1
4.0.5.2
4.0.6
4.1.0
4.1.0.1
4.1.0.2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.4.1
4.2.0
4.2.0.1
4.2.0.2
4.2.1
4.2.1.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.5.2
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.6.1
4.3.7
4.3.7.1
4.3.8
4.3.8.1
4.3.8.2
4.3.9
4.3.10
4.3.11
4.4.0-beta.1
4.4.0-beta.2
4.4.0-beta.3
4.4.0-beta.4
4.4.0-beta.5
4.4.0-beta.6
4.4.0-beta.7
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.6.1
4.4.7
4.4.7.1
4.4.8
4.4.9
4.4.10
4.4.10.1
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.16.1
4.4.17
4.5.0-beta.1
4.5.0-beta.2
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.6.1
4.5.7
4.5.8
4.5.9
4.5.10
4.5.11
4.5.11.1
4.5.12
4.5.13
4.5.14
4.5.15
4.6.0-RC1
4.6.0
4.6.1
4.7.0
4.7.1
4.7.2
4.7.2.1
4.7.3
4.7.4
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.8.9
4.8.10
4.8.11
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
4.10.0-beta.1
4.10.0-beta.2
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.10.8
4.11.0
4.11.0.1
4.11.0.2
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.4.1
4.12.5
4.12.6
4.12.6.1
4.12.7
4.12.8
4.12.9
4.13.0
4.13.1
4.13.1.1
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.13.10
4.14.0
4.14.0.1
4.14.0.2
4.14.1
4.14.2
4.14.3
4.14.4
4.14.5
4.14.6
4.14.7
4.14.8
4.14.8.1
4.14.9
4.14.10
4.14.11
4.14.11.1
4.14.12
4.14.13
4.14.14
4.14.15
4.15.0-beta.1
4.15.0-beta.2
4.15.0
4.15.0.1
4.15.0.2
4.15.1
4.15.2
4.15.3
4.15.4
4.15.5
4.15.6
4.15.6.1
4.15.6.2
4.15.7
4.16.0
4.16.1
4.16.2
4.16.3
4.16.4
4.16.5
4.16.6
4.16.6.1
4.16.7
4.16.8
4.16.9
4.16.9.1
4.16.10
4.16.11
4.16.12
4.16.13
4.16.14
4.16.15
4.16.16
4.16.17
4.16.18
4.16.19
4.17.0-beta.1
4.17.0-beta.2
4.17.0
4.17.1
4.17.2
4.17.3
Packagist / craftcms/cms
Package
- Name
- craftcms/cms
- Purl
- pkg:composer/craftcms/cms
Affected versions
5.*
5.0.0-RC1
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.2.0-beta.1
5.2.0-beta.2
5.2.0-beta.3
5.2.0-beta.4
5.2.0-beta.5
5.2.0-beta.6
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.4.1
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.3.0-beta.1
5.3.0-beta.2
5.3.0
5.3.0.1
5.3.0.2
5.3.0.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.4.0
5.4.0.1
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.5.1
5.4.6
5.4.7
5.4.7.1
5.4.8
5.4.9
5.4.10
5.4.10.1
5.5.0
5.5.0.1
5.5.1
5.5.1.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.6.1
5.5.7
5.5.8
5.5.9
5.5.10
5.6.0
5.6.0.1
5.6.0.2
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.5.1
5.6.6
5.6.7
5.6.8
5.6.9
5.6.9.1
5.6.10
5.6.10.1
5.6.10.2
5.6.11
5.6.12
5.6.13
5.6.14
5.6.15
5.6.16
5.6.17
5.7.0-beta.1
5.7.0-beta.2
5.7.0
5.7.1
5.7.1.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.8.1
5.7.8.2
5.7.9
5.7.10
5.7.11
5.8.0
5.8.1
5.8.2
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.8.8
5.8.9
5.8.10
5.8.11
5.8.12
5.8.13
5.8.13.1
5.8.13.2
5.8.14
5.8.15
5.8.16
5.8.17
5.8.18
5.8.19
5.8.20
5.8.21
5.8.22
5.8.23
5.9.0-beta.1
5.9.0-beta.2
5.9.0
5.9.1
5.9.2
5.9.3
5.9.4
5.9.5
5.9.6