{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33162", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.887Z", "datePublished": "2026-03-24T17:32:27.208Z", "dateUpdated": "2026-03-25T13:40:37.056Z"}, "containers": {"cna": {"title": "Craft CMS: Authorization bypass in \"entries/move-to-section\" allows control panel user to move entries without section permissions", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g"}, {"name": "https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e"}, {"name": "https://github.com/craftcms/cms/releases/tag/5.9.14", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.3.0, < 5.9.14", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T17:32:27.208Z"}, "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14."}], "source": {"advisory": "GHSA-f582-6gf6-gx4g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:40:29.278579Z", "id": "CVE-2026-33162", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:40:37.056Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33162", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:40:29.278579Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:40:32.677Z"}}], "cna": {"title": "Craft CMS: Authorization bypass in \"entries/move-to-section\" allows control panel user to move entries without section permissions", "source": {"advisory": "GHSA-f582-6gf6-gx4g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 5.3.0, < 5.9.14"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e", "name": "https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/releases/tag/5.9.14", "name": "https://github.com/craftcms/cms/releases/tag/5.9.14", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T17:32:27.208Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33162", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:40:37.056Z", "dateReserved": "2026-03-17T21:17:08.887Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T17:32:27.208Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "ECC30E7E-C919-4CE7-9A4D-CB5B149922F6", "versionEndExcluding": "5.9.14", "versionStartIncluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14."}, {"lang": "es", "value": "Craft CMS es un sistema de gesti\u00f3n de contenido (CMS). Desde la versi\u00f3n 5.3.0 hasta antes de la versi\u00f3n 5.9.14, un usuario autenticado del panel de control con solo accessCp puede mover entradas entre secciones a trav\u00e9s de POST /actions/entries/move-to-section, incluso cuando no tienen el permiso saveEntries:{sectionUid} para la secci\u00f3n de origen o de destino. Este problema ha sido parcheado en la versi\u00f3n 5.9.14."}], "id": "CVE-2026-33162", "lastModified": "2026-03-26T20:41:41.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T18:16:10.420", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/releases/tag/5.9.14"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.0,5.9.14)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-03-26T21:34:13.156858+00:00", "value": {"mitigation_remediation": ["Upgrade Craft CMS to version 5.9.14 or later."], "summary": {"action": "Patch immediately", "impact": "Unauthorized modification of content via section bypass"}, "threat_synthesis": {"affected_systems": "Craft CMS versions from 5.3.0 through 5.9.13 are affected. The flaw is present in the core application, and the product affects all sites running the vulnerable releases. Patching to 5.9.14 or later resolves the issue.", "description_and_impact": "A flaw in Craft CMS\u2019s move\u2011to\u2011section endpoint allows a user who only holds general control\u2011panel access, but not the specific saveEntries permission for a section, to relocate any entry to any other section. The issue permits an authenticated attacker to reorder or reclassify content without proper authorization, potentially exposing sensitive materials or altering site structure. The weakness is a classic authorization bypass, reflected in CWE\u2011285 and CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 4.9 places the vulnerability in the moderate range, while the EPSS score is under 1\u202f% and the vulnerability is not currently listed in KEV. The exploit requires authentication and the ability to reach the control panel; the likely attack vector is an internal or compromised credential gaining access to the CMS admin interface."}}}}, "created": "2026-03-25T11:46:54.779661+00:00", "updated": "2026-03-27T09:20:53.572500+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}