Auth bypass in Craftcms Cms

CVE-2026-44012

Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (including volume handle, volume UID, fol…

Vulnerability class: Broken Access Control

EPSS: 0.000 (1.7th percentile) — read the EPSS interpretation.