CVE-2026-33162
Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissionsCraft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.
We have discovered 2 live websites that are affected by CVE-2026-33162.
Affected Software
| Product |  CrafterCMS |
| Category | Content Management System |
| Vulnerable Domains | 2 live websites (100% of CrafterCMS install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 1 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-285 Improper AuthorizationDetails
- Published - Mar 24, 2026
- Updated - Mar 25, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-33162 United States | 2 websites |
Website Distribution by TLD
Number of websites using CVE-2026-33162| .com | 1 websites |
| .de | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-33162
Top websites that are affected by CVE-2026-33162. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.de | United States | **,***,*** | |
| ***************.com | United States | **,***,*** |
FAQ
CVE-2026-33162 is Improper Authorization in CrafterCMS
A total of 2 websites have been identified as vulnerable to CVE-2026-33162, based on global website indexing conducted by WebTechSurvey.
The CrafterCMS is affected by the CVE-2026-33162 vulnerability.
CrafterCMS versions up to 5.9.14 are vulnerable to CVE-2026-33162.
CVE-2026-33162 is resolved in version 5.9.14 of CrafterCMS.