PT-2026-22951

🗓️ 03 Mar 2026 00:00:00Reported by Positive TechnologiesType

ptsecurity

ptsecurity🔗 dbugs.ptsecurity.com👁 3 Views

Craft CMS permits duplicating other users' entries via direct requests despite limited view permissions.

Reporter	Title	Published	Views	Family All 12
ATTACKERKB	CVE-2026-28782	4 Mar 202616:36	–	attackerkb
Circl	CVE-2026-28782	2 Mar 202623:09	–	circl
CNNVD	Craft CMS 安全漏洞	4 Mar 202600:00	–	cnnvd
CVE	CVE-2026-28782	4 Mar 202616:36	–	cve
Cvelist	CVE-2026-28782 Craft has a Permission Bypass and IDOR in Duplicate Entry Action	4 Mar 202616:36	–	cvelist
Github Security Blog	Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action	3 Mar 202621:05	–	github
NVD	CVE-2026-28782	4 Mar 202617:16	–	nvd
OSV	CVE-2026-28782 Craft has a Permission Bypass and IDOR in Duplicate Entry Action	4 Mar 202616:36	–	osv
OSV	GHSA-JXM3-PMM2-9GF6 Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action	3 Mar 202621:05	–	osv
RedhatCVE	CVE-2026-28782	5 Mar 202619:31	–	redhatcve

Source	Link
github	www.github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
osv	www.osv.dev/vulnerability/GHSA-jxm3-pmm2-9gf6
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-28782
github	www.github.com/craftcms/cms
github	www.github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d

04 Mar 2026 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 45.3 - 7.1

EPSS0.00042

Craft CMS Duplication vulnerability Improper permissions Direct request Entry identifiers Admin endpoint Affected versions