CVE-2026-44012 Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure

Craft CMS is a content management system CMS. From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking...