CVE-2026-56384 Craft CMS - Missing Authorization in assets/preview-thumb Endpoint
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview...