Back to search
CVE-2026-33159
Published: Mar 24, 2026
Modified: Mar 24, 2026
PUBLISHED
Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.
| Vendor | Product | Versions |
|---|---|---|
craftcms | cms | affected >= 4.0.0-RC1, < 4.17.8affected >= 5.0.0-RC1, < 5.9.14 |
References
https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w
x_refsource_CONFIRM
https://github.com/craftcms/cms/releases/tag/4.17.8
x_refsource_MISC
https://github.com/craftcms/cms/releases/tag/5.9.14
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now