Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.
Published: 2026-03-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated File Deletion
Action: Apply Patch
AI Analysis

Impact

Craft CMS's AssetsController->replaceFile() method permits authenticated users with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting .. path traversal sequences into the targetFilename. The issue arises because the filename is used unsanitized in a deleteFile() call before the value is sanitized by Assets::prepareAssetName(), allowing deletion of any file under the shared root and thereby compromising the integrity of the site’s content stored on local filesystems.

Affected Systems

Craft CMS versions 4.0.0-RC1 through 4.17.4 and 5.0.0-RC1 through 5.9.10 are vulnerable. The vulnerability was addressed in version 4.17.5 and version 5.9.11.

Risk and Exploitability

The CVSS score for this vulnerability is 5.3, indicating moderate severity. EPSS is below 1% and the flaw is not listed in the CISA KEV catalog, suggesting a low exploitation probability. Exploitation requires an authenticated user with replaceFiles permission and is limited to local filesystem volumes, resulting in the potential removal of critical assets and undermining content integrity.

Generated by OpenCVE AI on March 17, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official security patch to upgrade to Craft CMS 4.17.5 or newer, or 5.9.11 or newer.
  • Verify that the asset replacement functionality no longer deletes files outside the intended directories.
  • Review and restrict replaceFiles permission to trusted accounts.

Generated by OpenCVE AI on March 17, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-472v-j2g4-g9h2 Craft CMS has a Path Traversal Vulnerability in AssetsController
History

Tue, 17 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.
Title Craft CMS has a Path Traversal Vulnerability in AssetsController
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T15:22:08.875Z

Reserved: 2026-03-11T15:05:48.397Z

Link: CVE-2026-32262

cve-icon Vulnrichment

Updated: 2026-03-17T15:22:05.337Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T20:16:19.013

Modified: 2026-03-17T17:56:54.240

Link: CVE-2026-32262

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:59Z

Weaknesses