{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33161", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.887Z", "datePublished": "2026-03-24T17:31:28.077Z", "dateUpdated": "2026-03-24T18:02:07.070Z"}, "containers": {"cna": {"title": "Craft CMS: Anonymous \"assets/image-editor\" calls returns private asset editor metadata to unauthorized users", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 1.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2"}, {"name": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27"}, {"name": "https://github.com/craftcms/cms/releases/tag/4.17.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8"}, {"name": "https://github.com/craftcms/cms/releases/tag/5.9.14", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 4.0.0-RC1, < 4.17.8", "status": "affected"}, {"version": ">= 5.0.0-RC1, < 5.9.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T17:31:28.077Z"}, "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14."}], "source": {"advisory": "GHSA-vgjg-248p-rfm2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:01:51.344776Z", "id": "CVE-2026-33161", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:02:07.070Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33161", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:01:51.344776Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:01:57.000Z"}}], "cna": {"title": "Craft CMS: Anonymous \"assets/image-editor\" calls returns private asset editor metadata to unauthorized users", "source": {"advisory": "GHSA-vgjg-248p-rfm2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 1.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 4.0.0-RC1, < 4.17.8"}, {"status": "affected", "version": ">= 5.0.0-RC1, < 5.9.14"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "name": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/releases/tag/4.17.8", "name": "https://github.com/craftcms/cms/releases/tag/4.17.8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "name": "https://github.com/craftcms/cms/releases/tag/5.9.14", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T17:31:28.077Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33161", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:02:07.070Z", "dateReserved": "2026-03-17T21:17:08.887Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T17:31:28.077Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D076F04-8397-4ED0-8428-6D04B786A0A1", "versionEndExcluding": "4.17.8", "versionStartExcluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "7ADCA708-F32E-4943-B523-CF5029C48A50", "versionEndExcluding": "5.9.14", "versionStartExcluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14."}, {"lang": "es", "value": "Craft CMS es un sistema de gesti\u00f3n de contenido (CMS). Desde la versi\u00f3n 4.0.0-RC1 hasta antes de la versi\u00f3n 4.17.8 y desde la versi\u00f3n 5.0.0-RC1 hasta antes de la versi\u00f3n 5.9.14, un usuario autenticado con bajos privilegios puede llamar a assets/image-editor con el ID de un activo privado que no puede ver y aun as\u00ed recibir datos de respuesta del editor, incluyendo focalPoint. El endpoint devuelve metadatos de edici\u00f3n privados sin validaci\u00f3n de autorizaci\u00f3n por activo. Este problema ha sido parcheado en las versiones 4.17.8 y 5.9.14."}], "id": "CVE-2026-33161", "lastModified": "2026-03-26T17:09:11.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T18:16:10.250", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/d30df3112220db1ffd6726a3ed11857014c7fb27"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/releases/tag/4.17.8"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-vgjg-248p-rfm2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-RC1,4.17.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.9.14)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-03-26T18:59:17.924267+00:00", "value": {"mitigation_remediation": ["Update Craft CMS to version 4.17.8 or later, or to 5.9.14 or later, to apply the vendor patch that restores proper authorization checks for the assets/image-editor endpoint."], "summary": {"action": "Patch", "impact": "Unauthorized Disclosure of Asset Metadata"}, "threat_synthesis": {"affected_systems": "The flaw affects Craft CMS from version 4.0.0\u2011RC1 up to, but not including, 4.17.8, and from 5.0.0\u2011RC1 up to, but not including, 5.9.14. Any installation within these version ranges that still exposes the assets/image-editor route is vulnerable. The vendor is Craft CMS.", "description_and_impact": "Craft CMS exposes private asset editor metadata through the \"assets/image-editor\" endpoint. A user who has only low privileges can supply the ID of an asset that they normally cannot view and receive an editor response containing security-sensitive information such as focalPoint. The lack of per-asset authorization validation allows the disclosure of metadata that could reveal structural details of the private asset, thereby compromising confidentiality. The weakness corresponds to improper authorization and information disclosure.", "risk_and_exploitability": "The CVSS score of 1.3 indicates a very low severity from the vendor\u2019s perspective, and the EPSS score of less than 1% reflects a small likelihood of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no widespread public exploitation. An attacker would need to authenticate at a lower privilege level and then craft an HTTP request to the exposed endpoint with an arbitrary asset ID. No additional conditions or exploit scripts are publicly documented, so the risk for most deployments remains minimal but should be mitigated promptly."}}}}, "created": "2026-03-25T11:46:56.578808+00:00", "updated": "2026-03-27T09:20:54.516591+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}