craftcms/cms Security Advisories for 5.9.12 (7)
-
[LOW] Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata
PKSA-hq3k-cthz-b9zn GHSA-44px-qjjc-xrhq
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions
PKSA-7c6f-2hwc-ptwd CVE-2026-33162 GHSA-f582-6gf6-gx4g
Affected version: >=5.3.0,<=5.9.13
Reported by:
GitHub -
[LOW] Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users
PKSA-w984-dygq-7ryn CVE-2026-33161 GHSA-vgjg-248p-rfm2
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[LOW] Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
PKSA-swp1-ty4d-gpzy CVE-2026-33160 GHSA-5pgf-h923-m958
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
PKSA-rxrx-pcy1-2csw CVE-2026-33159 GHSA-6mrr-q3pj-h53w
Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13
Reported by:
GitHub -
[MEDIUM] Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
PKSA-548y-fsbg-y9t7 CVE-2026-33158 GHSA-3pvf-vxrv-hh9c
Affected version: >=5.0.0-RC1,<=5.9.13|>=4.0.0-RC1,<=4.17.7
Reported by:
GitHub -
[HIGH] Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior
PKSA-twkq-r2c1-87qq CVE-2026-33157 GHSA-2fph-6v5w-89hh
Affected version: >=5.6.0,<=5.9.12
Reported by:
GitHub