Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible with low authentication required; high integrity impact from unauthorized folder deletion; no confidentiality, availability, or scope change applies.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function craft\\controllers\\AssetsController::actionMoveFolder() supports moving an asset folder into a destination parent folder. If a folder with the same name already exists at the destination, the action can be called with force=true to overwrite the destination. This issue has been resolved in versions 5.9.21 and 4.17.14.
AnalysisAI
Craft CMS versions 4.x prior to 4.17.14 and 5.x prior to 5.9.21 contain a missing authorization check (CWE-862) in the asset folder move operation that allows an authenticated user to delete a destination folder they lack delete permission on by exploiting the force=true overwrite path in AssetsController::actionMoveFolder(). The CVSS 4.0 score of 4.9 with PR:L and VI:H reflects a real but internally-scoped integrity impact: an attacker with move-but-not-delete rights can destroy asset content outside their permission boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Craft CMS user account with asset folder move permissions (PR:L per CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N with VI:H and all other impact metrics at N accurately characterizes the risk profile: the attack is network-reachable with low complexity, but is gated on authenticated access (PR:L), which is the primary limiting factor. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Craft CMS contributor account with move-asset-folder permissions but without delete permission on a specific destination folder sends a crafted POST request to the actionMoveFolder() endpoint specifying the target folder and including force=true. The application's missing authorization check allows the request to proceed, deleting the conflicting destination folder and replacing it with the moved folder - removing content the attacker was never authorized to delete. … |
| Remediation | Vendor-released patches are available: upgrade to Craft CMS 5.9.21 for the 5.x branch or 4.17.14 for the 4.x branch, as confirmed by the GitHub Security Advisory GHSA-3w32-23wj-rxg3 (https://github.com/craftcms/cms/security/advisories/GHSA-3w32-23wj-rxg3). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c
Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex
SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr
Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e
Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi
Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41416
GHSA-3w32-23wj-rxg3