Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate).
AnalysisAI
Unauthorized invocation of the database migration endpoint (/actions/app/migrate) in Craft CMS 5.9.5 and earlier lets remote, unauthenticated attackers reach functionality that should be gated behind administrative authorization. The flaw stems from a missing authorization check (CWE-862) rather than a credential bypass on the login flow, and publicly available exploit code exists, though it is not listed in CISA KEV. CVSS is 7.3 with Low impact across confidentiality, integrity, and availability, reflecting partial rather than total compromise.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today