Product
A high-severity mass assignment vulnerability (CVE-2026-50281) in Craft CMS versions prior to 5.9.21 allows a low-privileged authenticated attacker to overwrite arbitrary existing element data, such as entries or user profiles, by manipulating the `newAttributes` parameter during a bulk duplication action.