VYPR
Moderate severityNVD Advisory· Published Mar 24, 2026· Updated Mar 25, 2026

Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions

CVE-2026-33162

Description

Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/cmsPackagist
>= 5.3.0, < 5.9.145.9.14

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.