CVE-2026-32262 | THREATINT

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.

PUBLISHED Reserved 2026-03-11 | Published 2026-03-16 | Updated 2026-03-17 | Assigner GitHub_M

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

>= 4.0.0-RC1, < 4.17.5

affected

>= 5.0.0-RC1, < 5.9.11

affected

References

github.com/...ms/cms/security/advisories/GHSA-472v-j2g4-g9h2

github.com/...ommit/c997efbe4c66c14092714233aeebff15cdbfcf11

cve.org (CVE-2026-32262)

nvd.nist.gov (CVE-2026-32262)

Download JSON