๐Ÿ” CVE Alert

CVE-2026-50282

UNKNOWN 0.0

Craft CMS: Unauthorized Deletion of Destination Folders During Forced Moves

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination. This issue has been resolved in versions 5.9.21 and 4.17.14.

CWE CWE-862
Vendor craftcms
Product cms
Published Jul 2, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

craftcms / cms
>= 5.0.0-RC1, < 5.9.21 >= 4.0.0-RC1, <= 4.17.14

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/craftcms/cms/security/advisories/GHSA-3w32-23wj-rxg3