Auth bypass in Craftcms Cms

CVE-2026-33162

Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they…

EPSS: 0.000 (2.2th percentile) — read the EPSS interpretation.

Affected products

Craftcms Cms — versions >= 5.3.0, < 5.9.14

Weakness classification (CWE)

References

https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g (x_refsource_CONFIRM)
https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e (x_refsource_MISC)
https://github.com/craftcms/cms/releases/tag/5.9.14 (x_refsource_MISC)