[HIGH] Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure

PKSA-sxz1-z4jg-2vhh CVE-2026-44010 GHSA-gj2p-p9m4-c8gw

Affected package: craftcms/cms

Affected version: >=4.0.0,<4.17.12|>=5.0.0,<5.9.18

Reported by:
GitHub