[LOW] Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

PKSA-swp1-ty4d-gpzy CVE-2026-33160 GHSA-5pgf-h923-m958

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub

[MEDIUM] Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations

PKSA-rxrx-pcy1-2csw CVE-2026-33159 GHSA-6mrr-q3pj-h53w

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub

[MEDIUM] Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

PKSA-548y-fsbg-y9t7 CVE-2026-33158 GHSA-3pvf-vxrv-hh9c

Affected version: >=5.0.0-RC1,<=5.9.13|>=4.0.0-RC1,<=4.17.7

Reported by:
GitHub

[HIGH] Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior

PKSA-twkq-r2c1-87qq CVE-2026-33157 GHSA-2fph-6v5w-89hh

Affected version: >=5.6.0,<=5.9.12

Reported by:
GitHub

[HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()

PKSA-s8c8-j6wr-t4ds CVE-2026-32267 GHSA-cc7p-2j3x-x7xf

Affected version: >=5.0.0-RC1,<=5.9.11|>=4.0.0-RC1,<=4.17.5

Reported by:
GitHub