Vendor
Craft CMS versions 5.0.0-RC1 before 5.9.18 are vulnerable to information disclosure where an authenticated control panel user with only accessCp permission can discover filenames and the complete folder structure of assets in unauthorized volumes by supplying arbitrary asset IDs to AssetsController::actionShowInFolder(), exposing sensitive volume structures and enabling targeted follow-up attacks.