[HIGH] Craft CMS has IDOR via GraphQL @parseRefs

PKSA-ts3n-khxn-xyvm CVE-2026-28696 GHSA-7x43-mpfg-r9wj

Affected package: craftcms/cms

Affected version: >=5.0.0-RC1,<5.9.0-beta.1|>=4.0.0-RC1,<4.17.0-beta.1

Reported by:
GitHub