CVE-2026-31266

HIGH

Craft CMS <= 5.9.5 - Missing Authorization in Migrate Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-31266. PoCs published by adminlove520, 0xrixet.

AI-analyzed exploit summary The repository contains only screenshots and a README with no actual exploit code or technical details about CVE-2026-31266. The presence of screenshots without accompanying code or analysis is indicative of a suspicious repository.

Description

Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate).

Exploits (2)

github SUSPICIOUS 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-31266

The repository contains only screenshots and a README with no actual exploit code or technical details about CVE-2026-31266. The presence of screenshots without accompanying code or analysis is indicative of a suspicious repository.

Classification
Suspicious 90%
Attack Type
Other
Complexity
N/a
Reliability
N/a
Target: Unknown
No auth needed
devstral-2 · analyzed May 28, 2026 Full analysis →
github WORKING POC
by 0xrixet · poc
https://github.com/0xrixet/Craftcms-PoC-CVE-2026-31266

The repository contains functional exploit code for CVE-2026-31266, targeting Craft CMS. The PoC includes screenshots demonstrating the exploit's effectiveness, such as admin privilege changes and migration creation.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Craft CMS
No auth needed
Prerequisites: Access to a vulnerable Craft CMS instance
devstral-2 · analyzed Jun 05, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.3
EPSS 0.0005
EPSS Percentile 15.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Published May 27, 2026
Tracked Since May 27, 2026