216.73.216.86

CVE-2026-28781

· Published 04/03/2026 17:16 · Modified 05/03/2026 19:55

Labels: CVE-2026-28781 2026-03-04CVE-2026-28781CWE-639[email protected]

Essential information

Published
04/03/2026 17:16
Modified
05/03/2026 19:55
Author
Creator
CVSS
7.1 HIGH (v3) 7.1 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

NVD status

Status
Analyzed — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*

References