Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-50280— Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check

AI Predicted 7.5 Difficulty: Easy EPSS 0.27% · P19

Affected Version Matrix 1

VendorProductVersion RangeStatus
craftcmscms>= 5.0.0-RC1, < 5.9.21affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-50280

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check
Source: NVD (National Vulnerability Database)
Vulnerability Description
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry's sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
craftcmscms >= 5.0.0-RC1, < 5.9.21 -

II. Public POCs for CVE-2026-50280

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-50280

登录查看更多情报信息。

Patches & Fixes for CVE-2026-50280 (1)

Vendor Advisories for CVE-2026-50280 (1)

Same Patch Batch · craftcms · 2026-07-01 · 9 CVEs total

CVE-2026-50284Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows
CVE-2026-50279Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authori
CVE-2026-50283Craft CMS: Unauthorized Deletion of Source Assets During File Replacement
CVE-2026-55793Craft CMS: Stored XSS via Structure entry title in table view
CVE-2026-55790Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
CVE-2026-55792Craft CMS: Sensitive File Disclosure / Server-Side File Read
CVE-2026-55791Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in acti
CVE-2026-55794Craft CMS: Potential authenticated Remote Code Execution via referrer redirect

IV. Related Vulnerabilities

V. Comments for CVE-2026-50280

No comments yet


Leave a comment