[HIGH] Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure

PKSA-tj2m-c963-6jtt CVE-2026-44012 GHSA-33m5-hqp9-97pw

Affected package: craftcms/cms

Affected version: >=5.0.0-RC1,<5.9.18

Reported by:
GitHub