[MEDIUM] Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations

PKSA-rxrx-pcy1-2csw CVE-2026-33159 GHSA-6mrr-q3pj-h53w

Affected package: craftcms/cms

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub