PT-2026-27465 · Craft Cms · Craft Cms
Gcxwlp
·
Publicado
2026-03-24
·
Atualizado
2026-03-24
·
CVE-2026-33160
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Craft CMS versions 4.0.0-RC1 through 4.17.7
Craft CMS versions 5.0.0-RC1 through 5.9.13
Description
Craft CMS has an issue where an unauthenticated user can access transformed image bytes from private assets. This occurs by calling the
/assets/generate-transform API endpoint with a private assetId. The endpoint does not verify access rights before providing a transform URL, allowing unauthorized access to content derived from private assets.Recommendations
Update Craft CMS to version 4.17.8 or later.
Update Craft CMS to version 5.9.14 or later.
Exploit
Correção
IDOR
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Craft Cms