CVE-2026-14794

MEDIUM

Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization

Title source: cna
STIX 2.1

Description

A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component.

References (6)

Core 6
Core References
Vdb Entry, Technical Description vdb-entry technical-description
VDB-376388 | Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization
https://vuldb.com/vuln/376388
Signature, Permissions Required signature permissions-required
VDB-376388 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/376388/cti
Third Party Advisory third-party-advisory
CVE-2026-14794 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-14794
Third Party Advisory third-party-advisory
Submit #850793 | Craftcms CMS 5.10.1 Improper Access Controls
https://vuldb.com/submit/850793

Scores

CVSS v3 4.3
EPSS 0.0022
EPSS Percentile 12.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-266 CWE-285
Status published
Products (3)
Craft/CMS 4.18.0.0
Craft/CMS 4.18.0.1
Craft/CMS 4.18.1
Published Jul 06, 2026
Tracked Since Jul 06, 2026