Path Traversal in Craftcms Cms

CVE-2026-32262

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is use…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (12.3th percentile) — read the EPSS interpretation.

Affected products

Craftcms Cms — versions >= 4.0.0-RC1, < 4.17.5, >= 5.0.0-RC1, < 5.9.11

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2 (x_refsource_CONFIRM)
https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11 (x_refsource_MISC)