CVE-2026-27128 | Craft CMS up to 4.16.18/5.8.22 getTokenRoute toctou (GHSA-6fx5-5cw5-4897)

February 24, 2026 Yanac

A vulnerability, which was classified as problematic, was found in Craft CMS up to 4.16.18/5.8.22. The affected element is the function getTokenRoute. The manipulation results in time-of-check time-of-use.

This vulnerability is identified as CVE-2026-27128. The attack can be executed remotely. There is not any exploit available.

You should upgrade the affected component.VulDB Recent EntriesRead More