CVE-2026-14794
Craft CMS Charts Endpoint ChartsController.php actionGetNewUsersData improper authorization
CVSS Score
4.3
EPSS Score
0.2%
EPSS Percentile
13th
A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component.
| CWE | CWE-285 CWE-266 |
| Vendor | craft |
| Product | cms |
| Published | Jul 6, 2026 |
| Last Updated | Jul 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for craft cms
Be the first to know when new medium vulnerabilities affecting craft cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Craft / CMS
4.18.0.0 4.18.0.1
References
vuldb.com: https://vuldb.com/vuln/376388 vuldb.com: https://vuldb.com/vuln/376388/cti vuldb.com: https://vuldb.com/cve/CVE-2026-14794 vuldb.com: https://vuldb.com/submit/850793 github.com: https://github.com/craftcms/cms/commit/9ee53efc1314e6aba32771c66a13e072a246f4ce github.com: https://github.com/craftcms/cms/releases/tag/4.18.1
Credits
๐ geochen (VulDB User)