Path Traversal in Owen2345 Camaleon Cms

CVE-2026-1776

Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. Th…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (22.9th percentile) — read the EPSS interpretation.

Affected products

Owen2345 Camaleon Cms — versions 2.4.5.0, f54a77e2a7be601215ea1b396038c589a0cab9af

Weakness classification (CWE)

CWE-22 — Path Traversal

References

github.com/owen2345/camaleon-cms/pull/1127 (issue-tracking)
github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af (patch)
camaleon.website/ (product)
www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-trave… (third-party-advisory)