CVE-2026-50283
Craft CMS versions 5.0.0-RC1–5.9.20 and 4.0.0-RC1–4.17.13 contain an authorization issue in AssetsController::actionReplaceFile that can delete a source asset without source delete permission when both assetId and sourceAssetId are supplied. The runtime loads assetId ($assetToReplace) and sourceA...