CVE-2026-29113 LOW

CVE-2026-29113: Craft has a potential information disclosure vulnerability in preview tokens

Vendor Craftcms
Product cms
Weakness CWE-352 · CSRF
Published March 10, 2026
Last update March 10, 2026
View on NVD All CVEs

CVSS base score

2.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.

Key dates

02Disclosure timeline

March 10, 2026 CVE published
March 10, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-4936 WCFM Marketplace <= 3.4.12 - Cross-Site Request Forgery CVE-2025-23818 WordPress More Link Modifier plugin <= 1.0.3 - CSRF to Cross-Site Scripting vulnerability CVE-2025-46507 WordPress Unsafe Mimetypes plugin <= 0.1.4 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability CVE-2025-59480 Inadequate validation of SSO redirect credentials permits credential theft CVE-2025-32659 WordPress FraudLabs Pro for WooCommerce plugin <= 2.22.8 - CSRF to Stored XSS vulnerability