Lucene search
K

5 matches found

Github Security Blog
Github Security Blog
added 2026/03/26 5:12 p.m.7 views

Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

Summary An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data previewHtml for that private asset. The returned preview HTML included a private preview image route containing the target private assetId...

5.8AI score
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/24 5:30 p.m.2 views

CVE-2026-33160 Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. T...

6.9CVSS5.8AI score0.00355EPSS
Exploits0References4
OSV
OSV
added 2026/03/24 5:30 p.m.4 views

CVE-2026-33160 Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. T...

6.9CVSS5.8AI score0.00355EPSS
Exploits0References6
OSV
OSV
added 2026/03/24 5:27 p.m.3 views

GHSA-VGJG-248P-RFM2 Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users

Summary A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. Root-cause analysis: 1...

5.3CVSS5.8AI score0.00215EPSS
Exploits0References6
OSV
OSV
added 2026/03/24 4:59 p.m.9 views

GHSA-5PGF-H923-M958 Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

Summary An unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. Details Root cause: - Anonymous...

6.9CVSS5.8AI score0.00355EPSS
Exploits0References6
Rows per page
Query Builder