CVE-2026-14793

MEDIUM

Craft CMS reorder-sets Endpoint GlobalsController.php actionReorderSets authorization

Title source: cna
STIX 2.1

Description

A vulnerability was detected in Craft CMS up to 4.18.0.1. Affected is the function actionReorderSets of the file src/controllers/GlobalsController.php of the component reorder-sets Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. Upgrading to version 4.18.1 is able to address this issue. The patch is identified as 9bd05c91e6a7e6da5e949ec41a31c220c059aa04. The affected component should be upgraded.

References (6)

Core 6
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-376387 | Craft CMS reorder-sets Endpoint GlobalsController.php actionReorderSets authorization
https://vuldb.com/vuln/376387
Signature, Permissions Required signature permissions-required
VDB-376387 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/376387/cti
Third Party Advisory third-party-advisory
CVE-2026-14793 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-14793
Third Party Advisory third-party-advisory
Submit #850792 | Craftcms CMS 5.10.1 Authorization Bypass
https://vuldb.com/submit/850792

Scores

CVSS v3 4.3
EPSS 0.0022
EPSS Percentile 13.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-285 CWE-639
Status published
Products (3)
Craft/CMS 4.18.0.0
Craft/CMS 4.18.0.1
Craft/CMS 4.18.1
Published Jul 06, 2026
Tracked Since Jul 06, 2026