Lucene search
K

4 matches found

CVE
CVE
added yesterday8 views

CVE-2026-50280

Craft CMS contains an authorization bypass in the entries/move-to-section endpoint (EntriesController::actionMoveToSection). In versions 5.0.0-RC1 through below 5.9.21, destination section gate relies only on viewEntries:$section->uid instead of requiring saveEntries permission; source entry p...

6CVSS5.7AI score
Exploits0References2
CVE
CVE
added 2026/03/24 5:32 p.m.17 views

CVE-2026-33162

Craft CMS vulnerability CVE-2026-33162 affects versions 5.3.0 through before 5.9.14. An authenticated control panel user with only accessCp can move entries across sections by POSTing to /actions/entries/move-to-section, even without saveEntries:{sectionUid} permission for source or destination. ...

7.1CVSS5.8AI score0.00288EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/24 5:28 p.m.5 views

GHSA-F582-6GF6-GX4G Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions

Summary An authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:sectionUid permission for either source or destination section. Details Root-cause analysis 1. actionMoveToSection...

7.1CVSS5.9AI score0.00288EPSS
Exploits0References5
Snyk
Snyk
added 2026/03/24 5:28 p.m.2 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization in the actionMoveToSection process. An attacker can perform unauthorized content changes by sending crafted POST requests to the affected endpoint, allowing them to move...

7.1CVSS5.9AI score0.00288EPSS
Exploits0References2
Rows per page
Query Builder