CVE-2024-21622

Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

Published: Jan 3, 2024
Updated: May 4, 2025
CVE: CVE-2024-21622
GHSA: GHSA-j5g9-j7r4-6qvx
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-269

Affected Software
References

Software	From	Fixed in
craftcms / cms	4.0.0-RC1	4.5.11
craftcms / cms	3.0.0	3.9.6
craftcms / craft_cms	3.0.0	3.9.6
craftcms / craft_cms	4.0.0	4.5.15.x

https://github.com/craftcms/cms/blob/develop/CHANGELOG.md#4511---2023-11-16
https://github.com/craftcms/cms/blob/v3/CHANGELOG.md#396---2023-11-16
https://github.com/craftcms/cms/commit/76caf9af07d9964be0fd362772223be6a5f5b6aa
https://github.com/craftcms/cms/commit/be81eb653d633833f2ab22510794abb6bb9c0843
https://github.com/craftcms/cms/pull/13931
https://github.com/craftcms/cms/pull/13932
https://github.com/craftcms/cms/security/advisories/GHSA-j5g9-j7r4-6qvx

Vulnerability Database

289,496

CVE-2024-21622