CVE-2026-50284
Craft CMS (versions 5.0.0-RC1–5.9.21 and 4.0.0-RC1–4.17.14) has a privilege check flaw in AssetsController::actionDeleteFolder: it only enforces deleteAssets: for the target folder and does not enforce deletePeerAssets:, allowing a low-privilege user with folder-management rights on a shared volu...