Improperly Controlled Modification of Dynamically-Determined Object Attributes Affecting craftcms/cms package, versions >=5.7.0, <5.9.21


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.25% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-CRAFTCMSCMS-17798869
  • published2 Jul 2026
  • disclosed2 Jul 2026
  • creditUnknown

Introduced: 2 Jul 2026

NewCVE-2026-50281  (opens in a new tab)
CWE-915  (opens in a new tab)

How to fix?

Upgrade craftcms/cms to version 5.9.21 or higher.

Overview

craftcms/cms is a content management system.

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the newAttributes parameter in the bulk duplicate process. An attacker can overwrite existing elements belonging to other users by submitting arbitrary id values, resulting in unauthorized modification of content by predicting or enumerating element IDs. This is only exploitable if the attacker has permission to duplicate at least one entry they own.

CVSS Base Scores

version 4.0
version 3.1