Back to overview

CVE-2026-14793

MEDIUM
4.3
CVSS 3.1
Description
A vulnerability was detected in Craft CMS up to 4.18.0.1. Affected is the function actionReorderSets of the file src/controllers/GlobalsController.php of the component reorder-sets Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. Upgrading to version 4.18.1 is able to address this issue. The patch is identified as 9bd05c91e6a7e6da5e949ec41a31c220c059aa04. The affected component should be upgraded.

Metadata

CVE ID
CVE-2026-14793
State
PUBLISHED
Assigner
VulDB
Reserved
2026-07-05 18:26 UTC
Published
2026-07-06 03:30 UTC
Last updated
2026-07-06 03:30 UTC
Primary CWE
CWE-639
Authorization Bypass
Vendor / Product
Craft / CMS
Sources
cve.org  ·  NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C
Affected products (1)
VendorProductPlatformVersions
Craft CMS 4.18.0.0, 4.18.0.1, 4.18.1
Weakness (CWE)
CWESourceDescription
CWE-285 cna Improper Authorization
CWE-639 cna Authorization Bypass
CVSS scores (4)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X
4.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C
4.3 MEDIUM 3.0 cna CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C
4.0 N/D 2.0 cna AV:N/AC:L/Au:S/C:N/I:P/A:N/E:ND/RL:OF/RC:C
References (6)
Back to overview