CVE-2026-29113

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Craft versions prior to 4.17.4 Craft versions prior to 5.9.7

Description Craft CMS has a Cross-Site Request Forgery (CSRF) issue in the preview token endpoint. The endpoint, located at /actions/preview/create-token, accepts an attacker-supplied previewToken. The action does not require a POST request and does not enforce a CSRF token, allowing an attacker to force a logged-in editor to generate a preview token chosen by the attacker. This token can then be used by the attacker, without authentication, to access previewed or unpublished content authorized for the victim’s preview scope.

Recommendations Update to Craft version 4.17.4 or later. Update to Craft version 5.9.7 or later.

Exploit

Fix

Improper Authentication

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-352

Related Identifiers

CVE-2026-29113

GHSA-VG3J-HPM9-8V5V

Affected Products

Craft

Craft Cms

CVE-2026-29113

Weakness Enumeration

Related Identifiers

Affected Products

References · 9