[MEDIUM] Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions

PKSA-7c6f-2hwc-ptwd CVE-2026-33162 GHSA-f582-6gf6-gx4g

Affected package: craftcms/cms

Affected version: >=5.3.0,<=5.9.13

Reported by:
GitHub