PKSA-fd42-dyd4-g3dq Security Advisory
-
[HIGH] Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets
PKSA-fd42-dyd4-g3dq CVE-2026-50284 GHSA-7h62-6v23-v8fm
Affected package: craftcms/cms
Affected version: >=4.0.0-RC1,<4.17.15|>=5.0.0-RC1,<5.9.22
Reported by:
GitHub