CVE-2026-33162 | THREATINT

Description

Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.

PUBLISHED Reserved 2026-03-17 | Published 2026-03-24 | Updated 2026-03-25 | Assigner GitHub_M

MEDIUM: 4.9CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Problem types

CWE-285: Improper Authorization

CWE-862: Missing Authorization

Product status

>= 5.3.0, < 5.9.14

affected

References

github.com/...ms/cms/security/advisories/GHSA-f582-6gf6-gx4g

github.com/...ommit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e

github.com/craftcms/cms/releases/tag/5.9.14

cve.org (CVE-2026-33162)

nvd.nist.gov (CVE-2026-33162)

Download JSON