CVE-2026-14793
MEDIUMCraft CMS reorder-sets Endpoint GlobalsController.php actionReorderSets authorization
Title source: cnaDescription
A vulnerability was detected in Craft CMS up to 4.18.0.1. Affected is the function actionReorderSets of the file src/controllers/GlobalsController.php of the component reorder-sets Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. Upgrading to version 4.18.1 is able to address this issue. The patch is identified as 9bd05c91e6a7e6da5e949ec41a31c220c059aa04. The affected component should be upgraded.
References (6)
Core 6
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-376387 | Craft CMS reorder-sets Endpoint GlobalsController.php actionReorderSets authorization
https://vuldb.com/vuln/376387
Signature, Permissions Required signature
permissions-required
VDB-376387 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/376387/cti
Third Party Advisory third-party-advisory
CVE-2026-14793 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-14793
Third Party Advisory third-party-advisory
Submit #850792 | Craftcms CMS 5.10.1 Authorization Bypass
https://vuldb.com/submit/850792
Scores
CVSS v3
4.3
EPSS
0.0022
EPSS Percentile
13.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-285
CWE-639
Status
published
Products (3)
Craft/CMS
4.18.0.0
Craft/CMS
4.18.0.1
Craft/CMS
4.18.1
Published
Jul 06, 2026
Tracked Since
Jul 06, 2026