Primary

Context

Craft CMS Information Disclosure Vulnerability in Asset Image Editor Endpoint

Vulnerability

Patched

An information disclosure vulnerability has been identified in Craft CMS versions 4.0.0-RC1 prior to 4.17.8 and 5.0.0-RC1 prior to 5.9.14. The vulnerability allows low-privileged authenticated users to access private editing metadata, including focal point information, for assets they do not have permission to view. This is possible because the 'assets/image-editor' endpoint lacks proper authorization validation, enabling unauthorized access to sensitive asset editor data.

Impact

Exploitation of this vulnerability allows unauthorized users to retrieve private editing metadata and editor context for inaccessible assets, potentially leading to further privacy violations or unauthorized actions within the CMS.

Remediation

Users can upgrade to Craft CMS versions 4.17.8 or 5.9.14 to address this vulnerability.

Added: Mar 24, 2026, 6:28 PM

Updated: Mar 24, 2026, 6:28 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

4.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

4.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Craft CMS Information Disclosure Vulnerability in Asset Image Editor Endpoint

Vulnerability

Impact

Remediation

Affected Products

Craft CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating