Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.

Remediation

References

CVE-2026-33158

Related Vulnerabilities

Oracle Database Server CVE-2015-4888 Vulnerability (CVE-2015-4888)

MySQL CVE-2018-3171 Vulnerability (CVE-2018-3171)

Perl Integer Overflow to Buffer Overflow Vulnerability (CVE-2026-8376)

WordPress Plugin BackWPup Cross-Site Scripting (3.2.3)

WordPress Comment Post Cross-Site Scripting Vulnerability (2.0)

Severity

Medium

Classification

CVE-2026-33158 CWE-639 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Missing Update Known Vulnerabilities