CVE-2026-33162

UNKNOWN 0.0

Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

11th

Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.

CWE	CWE-285 CWE-862
Vendor	craftcms
Product	cms
Published	Mar 24, 2026
Last Updated	Mar 25, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / cms

>= 5.3.0, < 5.9.14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g github.com: https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e github.com: https://github.com/craftcms/cms/releases/tag/5.9.14