CVE-2026-14794

A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component.
Configurations

No configuration.

History

06 Jul 2026, 05:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-06 05:16

Updated : 2026-07-06 18:02


NVD link : CVE-2026-14794

Mitre link : CVE-2026-14794

CVE.ORG link : CVE-2026-14794


JSON object : View

Products Affected

No product.

CWE
CWE-266

Incorrect Privilege Assignment

CWE-285

Improper Authorization