GHSA-xj2c-g5xp-4p47MediumCVSS 4.3

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A...

Published
June 21, 2026
Last Modified
June 21, 2026

🔗 CVE IDs covered (1)

📋 Description

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.

🔗 References (5)