CVE-2026-28782

Exploit

EPSS 0.04%
Veröffentlicht 04.03.2026 16:36:49
Zuletzt bearbeitet 05.03.2026 19:55:33
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Craftcms ≫ Craft Cms Version > 4.0.0 < 4.17.0

Craftcms ≫ Craft Cms Version > 5.0.0 < 5.9.0

Craftcms ≫ Craft Cms Version4.0.0 Update-

Craftcms ≫ Craft Cms Version4.0.0 Updaterc1

Craftcms ≫ Craft Cms Version4.0.0 Updaterc2

Craftcms ≫ Craft Cms Version4.0.0 Updaterc3

Craftcms ≫ Craft Cms Version5.0.0 Update-

Craftcms ≫ Craft Cms Version5.0.0 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.106

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6

Patch

Vendor Advisory

Exploit

https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-28782

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-28782

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-28782

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-28782