← Back

CVE-2026-33161

nvd nist
Published: Mar 24, 2026Modified: Mar 26, 2026

JSON object

Loading...
1.3
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: security-advisories@github.com (Secondary)

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.

Affected (8)

Products: Craftcms: Craft Cms
Craftcms
1 product
Craft Cms
Configuration A
8 vulnerable
Vulnerable SoftwareAffected Versions
Craftcms
Craft Cms
After 4.0.0 to 4.17.8
Craft Cms
After 5.0.0 to 5.9.14
Craft Cms
Version 4.0.0
Craft Cms
Version 4.0.0 rc1
Craft Cms
Version 4.0.0 rc2
Craft Cms
Version 4.0.0 rc3
Craft Cms
Version 5.0.0
Craft Cms
Version 5.0.0 rc1

Related CWEs

CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Vendor Advisory

Timeline

No history available yet.