CVE Catalog

CVE-2026-50282

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

Craft CMS versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without the required delete permission. The vulnerability is in the actionMoveFolder() function of the AssetsController.

Risk Assessment

An attacker can delete folders in the CMS without proper permissions, potentially causing data loss or application disruption.

Recommendation

Update Craft CMS to version 5.9.21 or 4.17.14 immediately to remediate the vulnerability.

Original NVD description (English source)

Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination. This issue has been resolved in versions 5.9.21 and 4.17.14.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS