CVE-2026-33160 Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. T...

CVE-2026-33160

Summary: CVE-2026-33160 affects Craft CMS versions 4.0.0-RC1 through 4.17.7 and 5.0.0-RC1 through 5.9.13, where an unauthenticated user can call assets/generate-transform with a private assetId, obtain a valid transform URL, and fetch the transformed image bytes. The endpoint does not enforce per...

CVE-2026-33160

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. T...

CVE-2026-33160 Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. T...

EUVD-2026-14940

Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL...

Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

Summary An unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. Details Root cause: - Anonymous...

GHSA-5PGF-H923-M958 Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

Summary An unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. Details Root cause: - Anonymous...

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the assets/generate-transform endpoint. An attacker can access content derived from private assets by submitting requests with arbitrary asset references, as the...

USN-8112-4: Linux kernel (Azure FIPS) vulnerabilities

Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - x86 architecture; - MMC subsystem; - Network drivers; - USB Device Class drivers; - BTRFS file system; - HFS+ file...

Uncontrolled Recursion

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion via the pre-validation transform pipeline. An attacker can cause the server process to become...

[SECURITY] Fedora 43 Update: kiss-fft-131.2.0-1.fc43

KISS FFT - A mixed-radix Fast Fourier Transform based on the principle, "Keep It Simple, Stupid." There are many great fft libraries already around. Kiss FFT is not trying to be better than any of them. It only attempts to be a reasonably efficient, moderately useful FFT that can use fixed or...

[SECURITY] Fedora 44 Update: kiss-fft-131.2.0-1.fc44

KISS FFT - A mixed-radix Fast Fourier Transform based on the principle, "Keep It Simple, Stupid." There are many great fft libraries already around. Kiss FFT is not trying to be better than any of them. It only attempts to be a reasonably efficient, moderately useful FFT that can use fixed or...

USN-8098-1: Linux kernel vulnerabilities

Qualys discovered that several vulnerabilities existed in the AppArmor Linux kernel Security Module LSM. An unprivileged local attacker could use these issues to load, replace, and remove arbitrary AppArmor profiles causing denial of service, exposure of sensitive information kernel memory, local...

Malicious Package

Overview n8n-nodes-data-transform is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

MAL-2026-1468 Malicious code in n8n-nodes-data-transform (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7eccb194fe010c62cca46772d03416065b0f5439ada0da9ce9b49d09c23d5683 The package n8n-nodes-data-transform was found to contain malicious code. Source: ghsa-malware...

Malicious code in n8n-nodes-data-transform (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7eccb194fe010c62cca46772d03416065b0f5439ada0da9ce9b49d09c23d5683 The package n8n-nodes-data-transform was found to contain malicious code. Source: ghsa-malware...

Malicious code in transform-minify-booleans (npm)

The package 'transform-minify-booleans' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

Malicious code in transform-for-of (npm)

The package 'transform-for-of' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

Malicious code in transform-es2015-parameters (npm)

The package 'transform-es2015-parameters' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

Malicious code in transform-inline-consecutive-adds (npm)

The package 'transform-inline-consecutive-adds' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...