๐Ÿ” CVE Alert

CVE-2026-14794

MEDIUM 4.3

Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization

CVSS Score
4.3
EPSS Score
0.2%
EPSS Percentile
13th

A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component.

CWE CWE-285 CWE-266
Vendor craft
Product cms
Published Jul 6, 2026
Last Updated Jul 6, 2026
Stay Ahead of the Next One

Get instant alerts for craft cms

Be the first to know when new medium vulnerabilities affecting craft cms are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

Craft / CMS
4.18.0.0 4.18.0.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
vuldb.com: https://vuldb.com/vuln/376388 vuldb.com: https://vuldb.com/vuln/376388/cti vuldb.com: https://vuldb.com/cve/CVE-2026-14794 vuldb.com: https://vuldb.com/submit/850793 github.com: https://github.com/craftcms/cms/commit/9ee53efc1314e6aba32771c66a13e072a246f4ce github.com: https://github.com/craftcms/cms/releases/tag/4.18.1

Credits

๐Ÿ” geochen (VulDB User)