Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-qmcc-3ued-m7gk
Vulnerability ID VCID-qmcc-3ued-m7gk
Aliases CVE-2026-28782
GHSA-jxm3-pmm2-9gf6
Summary Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-639 Authorization Bypass Through User-Controlled Key
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2026-28782
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2026-28782
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-jxm3-pmm2-9gf6
cvssv4 5.7 https://github.com/craftcms/cms
generic_textual MODERATE https://github.com/craftcms/cms
cvssv4 5.3 https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
cvssv4 5.7 https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
generic_textual MODERATE https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
ssvc Track https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
cvssv3.1_qr MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
cvssv4 5.3 https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
cvssv4 5.7 https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
generic_textual MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
ssvc Track https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
cvssv4 5.7 https://nvd.nist.gov/vuln/detail/CVE-2026-28782
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-28782
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-28782
CVE-2026-28782 https://nvd.nist.gov/vuln/detail/CVE-2026-28782
fb61a91357f5761c852400185ba931f51d82783d https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
GHSA-jxm3-pmm2-9gf6 https://github.com/advisories/GHSA-jxm3-pmm2-9gf6
GHSA-jxm3-pmm2-9gf6 https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/craftcms/cms
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/ Found at https://github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P Found at https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T17:34:53Z/ Found at https://github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P Found at https://nvd.nist.gov/vuln/detail/CVE-2026-28782
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.12995
EPSS Score 0.00042
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:43:59.281061+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/28xxx/CVE-2026-28782.json 38.6.0