Lucene search
K

5 matches found

NVD
NVD
added 2026/07/02 12:16 a.m.7 views

CVE-2026-50280

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection endpoint gates the destination section only by viewEntries:$section-uid rather than requiring saveEntries permission the source entry is separately checked via...

6CVSS0.00273EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 11:43 p.m.19 views

CVE-2026-50280

Craft CMS contains an authorization bypass in the entries/move-to-section endpoint (EntriesController::actionMoveToSection). In versions 5.0.0-RC1 through below 5.9.21, destination section gate relies only on viewEntries:$section->uid instead of requiring saveEntries permission; source entry p...

6CVSS5.7AI score0.00273EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/24 5:32 p.m.27 views

CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions

Craft CMS is a content management system CMS. From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:sectionUid permission for either...

7.1CVSS0.00288EPSS
Exploits0References3
OSV
OSV
added 2026/03/24 5:32 p.m.8 views

CVE-2026-33162 Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions

Craft CMS is a content management system CMS. From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:sectionUid permission for either...

7.1CVSS5.8AI score0.00288EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/24 5:28 p.m.8 views

Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions

Summary An authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:sectionUid permission for either source or destination section. Details Root-cause analysis 1. actionMoveToSection...

7.1CVSS5.9AI score0.00288EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder