CVE-2026-32265
Amazon S3 for Craft CMS has an Information Disclosure vulnerability
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
The Amazon S3 for Craft CMS plugin provides an Amazon S3 integration for Craft CMS. In versions 2.0.2 through 2.2.4, unauthenticated users can view a list of buckets the plugin has access to. The `BucketsController->actionLoadBucketData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to mitigate the issue.
| CWE | CWE-200 |
| Vendor | craftcms |
| Product | aws-s3 |
| Published | Mar 18, 2026 |
| Last Updated | Mar 18, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms aws-s3
Be the first to know when new unknown vulnerabilities affecting craftcms aws-s3 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
craftcms / aws-s3
>= 2.0.2, < 2.2.5