[LOW] Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

PKSA-swp1-ty4d-gpzy CVE-2026-33160 GHSA-5pgf-h923-m958

Affected package: craftcms/cms

Affected version: >=4.0.0-RC1,<=4.17.7|>=5.0.0-RC1,<=5.9.13

Reported by:
GitHub