CVE-2026-33162

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.3.0 through 5.9.13

Description Craft CMS is a content management system. An authenticated control panel user with only accessCp privileges can move entries between sections using the /actions/entries/move-to-section API endpoint, even if they lack the necessary saveEntries:{sectionUid} permission for either the source or destination section. The issue stems from a lack of authorization checks within the actionMoveToSection function and moveEntryToSection() function, allowing direct POST requests to bypass UI filtering and perform unauthorized entry movements. This represents an authorization bypass that could lead to unauthorized content changes and disruption of editorial controls.

Recommendations Update Craft CMS to version 5.9.14 or later.