CVE-2026-50283: Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionRepla
Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId. AssetsController::actionReplaceFile() supports replacing a target asset file using another existing asset as the source. The action loads: assetId -> $assetToReplace and sourceAssetId -> $sourceAsset, then enforces replace permissions using ($assetToReplace ?: $sourceAsset). When both IDs are provided, this expression resolves to the target asset so no permission check is performed against the source asset volume. When both assets are present, Craft copies the source file into the target and then deletes the source asset. There is no deletion check for for the source asset. An authenticated user who can replace files in one volume can delete assets in another volume where they do not have delete permission, as long as they can obtain a sourceAssetId, leading to broken content references and data loss. This issue has been fixed in versions 4.17.14 and 5.9.21.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-50283
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-502830.27% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 18% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-50283 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
Recent advisories for Craft CMS is
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highGHSA-86vw-x4ww-x467: Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreviewghsa · 2026-07-09
- lowGHSA-c43v-4cr8-6mvp: Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file r…ghsa · 2026-07-09
- highGHSA-f74w-488g-8x5r: Craft CMS: Potential authenticated Remote Code Execution via referrer redirectghsa · 2026-07-06
- mediumGHSA-xrqc-p465-2xvg: Craft CMS: Stored XSS via Structure entry title in table viewghsa · 2026-07-06
- mediumGHSA-287w-mxq6-x2cp: Craft CMS: Sensitive File Disclosure / Server-Side File Readghsa · 2026-07-06
- highGHSA-24x4-j6x9-rfw5: Craft CMS: DOM XSS via GitHub issue title in CraftSupport widgetghsa · 2026-07-06
More from NVD Recent CVEs
- mediumCVE-2026-10660: The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap_broadcast_assi…2026-07-11
- lowCVE-2026-61870: ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the VIFF encoder when memo…2026-07-11
- lowCVE-2026-61861: ImageMagick before 7.1.2-26 contains a use-after-free vulnerability in the FormatMagickCaption…2026-07-11
- lowCVE-2026-61858: ImageMagick before 7.1.2-26 contains a policy bypass vulnerability in the APNG encoder and ext…2026-07-11
- lowCVE-2026-61857: ImageMagick before 7.1.2-26 contains a heap use-after-free vulnerability caused by missing nul…2026-07-11