Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for aws-s3 by craftcms
CVE-2026-32265 (GCVE-0-2026-32265)
Vulnerability from nvd – Published: 2026-03-18 03:28 – Updated: 2026-03-18 13:30
VLAI?
Title
Amazon S3 for Craft CMS has an Information Disclosure vulnerability
Summary
The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32265",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T13:30:46.762179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T13:30:56.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "aws-s3",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.2, \u003c 2.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController-\u003eactionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T03:28:24.443Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9"
},
{
"name": "https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f"
}
],
"source": {
"advisory": "GHSA-hwj7-4vgc-j3v9",
"discovery": "UNKNOWN"
},
"title": "Amazon S3 for Craft CMS has an Information Disclosure vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32265",
"datePublished": "2026-03-18T03:28:24.443Z",
"dateReserved": "2026-03-11T15:05:48.397Z",
"dateUpdated": "2026-03-18T13:30:56.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32265 (GCVE-0-2026-32265)
Vulnerability from cvelistv5 – Published: 2026-03-18 03:28 – Updated: 2026-03-18 13:30
VLAI?
Title
Amazon S3 for Craft CMS has an Information Disclosure vulnerability
Summary
The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32265",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T13:30:46.762179Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T13:30:56.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "aws-s3",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.2, \u003c 2.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController-\u003eactionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T03:28:24.443Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/aws-s3/security/advisories/GHSA-hwj7-4vgc-j3v9"
},
{
"name": "https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/aws-s3/commit/ef8904d8b6856e4a52893a9e1e52988ae110aa3f"
}
],
"source": {
"advisory": "GHSA-hwj7-4vgc-j3v9",
"discovery": "UNKNOWN"
},
"title": "Amazon S3 for Craft CMS has an Information Disclosure vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32265",
"datePublished": "2026-03-18T03:28:24.443Z",
"dateReserved": "2026-03-11T15:05:48.397Z",
"dateUpdated": "2026-03-18T13:30:56.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}