Lucene search
+L

4 matches found

NVD
NVD
added 2026/06/21 2:16 p.m.16 views

CVE-2026-56384

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview...

5.3CVSS0.00193EPSS
Exploits0References3
NVD
NVD
added 2026/03/24 6:16 p.m.5 views

CVE-2026-33160

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. T...

6.9CVSS0.00355EPSS
Exploits0References4
NVD
NVD
added 2026/03/24 6:16 p.m.4 views

CVE-2026-33161

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response dat...

5.3CVSS0.00215EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/03/24 5:26 p.m.2 views

CVE-2026-33158

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized...

7.1CVSS5.8AI score0.00353EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder