Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated user with a specific volume permission (PR:L) sends a network request (AV:N/AC:L/UI:N); impact is destructive deletion of peer data, giving I:H with no confidentiality and no distinct availability-service impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It never enforces deletePeerAssets:<volume-uid>, even though Assets::deleteFoldersByIds() cascades deletion to every descendant folder and every asset inside, regardless of the uploader's assigned privileges. A low-privilege user who has been granted folder-management rights on a shared volume can therefore destroy assets uploaded by other users (peer assets), bypassing the per-asset peer-permission check that the sibling actionDeleteAsset endpoint correctly applies. This issue has been fixed in versions 4.17.15 and 5.9.22.
AnalysisAI
Broken authorization in Craft CMS lets a low-privilege authenticated user destroy other users' assets on a shared volume. AssetsController::actionDeleteFolder() checks only the deleteAssets:<volume-uid> permission for the target folder but never enforces deletePeerAssets:<volume-uid>, while the underlying Assets::deleteFoldersByIds() cascades deletion to every descendant folder and asset regardless of who uploaded them. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Craft CMS account (PR:L) that has been granted the deleteAssets:<volume-uid> / folder-management permission on a volume that is SHARED with other users, and that volume must actually contain peer assets (files uploaded by other users). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N, base 7.1) is internally consistent with the description: network-reachable, low-complexity, requiring low privileges (PR:L - an authenticated user with folder-management rights) and no user interaction, with high integrity impact from destructive deletion and no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A contributor with folder-management rights on a shared media volume issues a delete-folder request against a parent folder that also contains images uploaded by other editors. Because actionDeleteFolder never checks deletePeerAssets, the cascading deletion removes every peer asset and subfolder in that tree, destroying colleagues' content the attacker was never authorized to touch. … |
| Remediation | Upgrade to the patched releases: Craft CMS 4.17.15 for the 4.x line or 5.9.22 for the 5.x line, per vendor advisory GHSA-7h62-6v23-v8fm (https://github.com/craftcms/cms/security/advisories/GHSA-7h62-6v23-v8fm); the fix is implemented in commit b4e08977f0c9bdf002a77f9f6d1346cd55ac0598. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Craft CMS instances and document current versions (4.x vs 5.x). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c
Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex
SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr
Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e
Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi
Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41208
GHSA-7h62-6v23-v8fm