CVE-2026-33162
MEDIUMCraft CMS 5.3.0-5.9.13 - Entry Section Move Authorization Bypass
Title source: manualDescription
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g
X_Refsource_Misc x_refsource_misc
https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e
X_Refsource_Misc x_refsource_misc
https://github.com/craftcms/cms/releases/tag/5.9.14
Scores
CVSS v3
6.5
EPSS
0.0029
EPSS Percentile
20.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-285
CWE-862
Status
published
Products (3)
craftcms/cms
5.3.0 - 5.9.14Packagist
craftcms/cms
>= 5.3.0, < 5.9.14
craftcms/craft_cms
5.3.0 - 5.9.14
Published
Mar 24, 2026
Tracked Since
Mar 24, 2026