CVE-2026-33160— Craft CMS 安全漏洞

Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.

N/A

通过用户控制密钥绕过授权机制

Craft CMS 安全漏洞

Craft CMS是Craft CMS开源的一套内容管理系统（CMS）。 Craft CMS 4.17.8之前版本和5.9.14之前版本存在安全漏洞，该漏洞源于未强制执行按资源授权检查，可能导致未经授权获取转换后的图像数据。

N/A

N/A