GHSA-vgjg-248p-rfm2

Source

https://github.com/advisories/GHSA-vgjg-248p-rfm2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vgjg-248p-rfm2/GHSA-vgjg-248p-rfm2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vgjg-248p-rfm2

Aliases

CVE-2026-33161

Published

2026-03-24T17:27:17Z

Modified

2026-03-25T21:18:45.729333Z

Severity

1.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users

Details

Summary

A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint.

The endpoint returns private editing metadata without per-asset authorization validation.

Root-cause analysis:

actionImageEditor() accepts assetId from the request body.
The asset is loaded, and the focal-point data is read.
Response returns html and focalPoint.
No explicit authorization check is applied before the response.

Impact

Affected deployments:

Craft sites where asset edit metadata should remain restricted to authorized users.

Security consequence:

Unauthorized users can extract private editor metadata and related editor context for inaccessible assets.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T17:27:17Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-862"
    ],
    "nvd_published_at": "2026-03-24T18:16:10Z",
    "severity": "LOW"
}

References

Affected packages

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-RC1

Fixed

5.9.14

Affected versions

5.*

5.0.0-RC1

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.2.0-beta.1

5.2.0-beta.2

5.2.0-beta.3

5.2.0-beta.4

5.2.0-beta.5

5.2.0-beta.6

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.4.1

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.10

5.3.0-beta.1

5.3.0-beta.2

5.3.0

5.3.0.1

5.3.0.2

5.3.0.3

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.4.0

5.4.0.1

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.4.10

5.4.10.1

5.5.0

5.5.0.1

5.5.1

5.5.1.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.6.1

5.5.7

5.5.8

5.5.9

5.5.10

5.6.0

5.6.0.1

5.6.0.2

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.5.1

5.6.6

5.6.7

5.6.8

5.6.9

5.6.9.1

5.6.10

5.6.10.1

5.6.10.2

5.6.11

5.6.12

5.6.13

5.6.14

5.6.15

5.6.16

5.6.17

5.7.0-beta.1

5.7.0-beta.2

5.7.0

5.7.1

5.7.1.1

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.8.1

5.7.8.2

5.7.9

5.7.10

5.7.11

5.8.0

5.8.1

5.8.2

5.8.3

5.8.4

5.8.5

5.8.6

5.8.7

5.8.8

5.8.9

5.8.10

5.8.11

5.8.12

5.8.13

5.8.13.1

5.8.13.2

5.8.14

5.8.15

5.8.16

5.8.17

5.8.18

5.8.19

5.8.20

5.8.21

5.8.22

5.8.23

5.9.0-beta.1

5.9.0-beta.2

5.9.0

5.9.1

5.9.2

5.9.3

5.9.4

5.9.5

5.9.6

5.9.7

5.9.8

5.9.9

5.9.10

5.9.11

5.9.12

5.9.13

Database specific

last_known_affected_version_range

"<= 5.9.13"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vgjg-248p-rfm2/GHSA-vgjg-248p-rfm2.json"

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0-RC1

Fixed

4.17.8

Affected versions

4.*

4.0.0-RC1

4.0.0-RC2

4.0.0-RC3

4.0.0

4.0.0.1

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.5.1

4.0.5.2

4.0.6

4.1.0

4.1.0.1

4.1.0.2

4.1.1

4.1.2

4.1.3

4.1.4

4.1.4.1

4.2.0

4.2.0.1

4.2.0.2

4.2.1

4.2.1.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.5.2

4.2.6

4.2.7

4.2.8

4.3.0

4.3.1

4.3.2

4.3.2.1

4.3.3

4.3.4

4.3.5

4.3.6

4.3.6.1

4.3.7

4.3.7.1

4.3.8

4.3.8.1

4.3.8.2

4.3.9

4.3.10

4.3.11

4.4.0-beta.1

4.4.0-beta.2

4.4.0-beta.3

4.4.0-beta.4

4.4.0-beta.5

4.4.0-beta.6

4.4.0-beta.7

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.6.1

4.4.7

4.4.7.1

4.4.8

4.4.9

4.4.10

4.4.10.1

4.4.11

4.4.12

4.4.13

4.4.14

4.4.15

4.4.16

4.4.16.1

4.4.17

4.5.0-beta.1

4.5.0-beta.2

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.6.1

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.11.1

4.5.12

4.5.13

4.5.14

4.5.15

4.6.0-RC1

4.6.0

4.6.1

4.7.0

4.7.1

4.7.2

4.7.2.1

4.7.3

4.7.4

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.8.6

4.8.7

4.8.8

4.8.9

4.8.10

4.8.11

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.10.0-beta.1

4.10.0-beta.2

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.10.8

4.11.0

4.11.0.1

4.11.0.2

4.11.1

4.11.2

4.11.3

4.11.4

4.11.5

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.4.1

4.12.5

4.12.6

4.12.6.1

4.12.7

4.12.8

4.12.9

4.13.0

4.13.1

4.13.1.1

4.13.2

4.13.3

4.13.4

4.13.5

4.13.6

4.13.7

4.13.8

4.13.9

4.13.10

4.14.0

4.14.0.1

4.14.0.2

4.14.1

4.14.2

4.14.3

4.14.4

4.14.5

4.14.6

4.14.7

4.14.8

4.14.8.1

4.14.9

4.14.10

4.14.11

4.14.11.1

4.14.12

4.14.13

4.14.14

4.14.15

4.15.0-beta.1

4.15.0-beta.2

4.15.0

4.15.0.1

4.15.0.2

4.15.1

4.15.2

4.15.3

4.15.4

4.15.5

4.15.6

4.15.6.1

4.15.6.2

4.15.7

4.16.0

4.16.1

4.16.2

4.16.3

4.16.4

4.16.5

4.16.6

4.16.6.1

4.16.7

4.16.8

4.16.9

4.16.9.1

4.16.10

4.16.11

4.16.12

4.16.13

4.16.14

4.16.15

4.16.16

4.16.17

4.16.18

4.16.19

4.17.0-beta.1

4.17.0-beta.2

4.17.0

4.17.1

4.17.2

4.17.3

4.17.4

4.17.5

4.17.6

4.17.7

Database specific

last_known_affected_version_range

"<= 4.17.7"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vgjg-248p-rfm2/GHSA-vgjg-248p-rfm2.json"