Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
Metrics
Affected Vendors & Products
References
History
Wed, 24 Jun 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Craftcms
Craftcms craftcms |
|
| Vendors & Products |
Craftcms
Craftcms craftcms |
Tue, 23 Jun 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Sun, 21 Jun 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access. | |
| Title | Craft CMS - Authenticated Path Traversal in assets/icon Extension Parameter | |
| First Time appeared |
Juzaweb
Juzaweb cms |
|
| Weaknesses | CWE-22 | |
| CPEs | cpe:2.3:a:juzaweb:cms:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Juzaweb
Juzaweb cms |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-06-21T13:27:02.445Z
Updated: 2026-06-23T13:34:34.446Z
Reserved: 2026-06-21T12:37:58.434Z
Link: CVE-2026-56394
Updated: 2026-06-23T13:34:27.699Z
No data.
No data.