CVE-2026-32267
Craft CMS vulnerable to privilege escalation via UsersController->actionImpersonateWithToken. From 4.0.0-RC1 up to 4.17.5 and 5.0.0-RC1 up to 5.9.11, a low-privilege or unauthenticated user with a shared URL can escalate to admin. Patch versions: 4.17.6 and 5.9.12. CVSS 4.0 base score 9.2 (CRI...