Description
HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint. Attackers can pass unsanitized traversal sequences directly to file_exists() and rename() functions in admin.php without canonicalization or directory boundary enforcement to cause unintended relocation of any file writable by the web server process to an attacker-specified draft location.
Published: 2026-06-25
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HTMLy CMS versions up to 3.1.1 contain a path traversal flaw that allows an authenticated user with low privileges to supply traversal sequences in the "oldfile" parameter at the admin autosave endpoint. The server passes the unsanitized value directly to file_exists() and rename() functions, enabling the attacker to relocate any file that is writable by the web‑server process to an arbitrary draft location. This can be used to overwrite configuration files, sensitive documents, or other files in the web root, potentially exposing or tampering with data.

Affected Systems

Vendor Danpros – HTMLy CMS – version 3.1.1.

Risk and Exploitability

The CVSS score of 7.2 indicates a medium‑high risk, and the vulnerability is not listed in CISA KEV. The exploit requires authentication but not privileged user rights, and the attack vector is likely over the web interface, as the vulnerable parameter is exposed in an admin endpoint. Without a patch, attackers could move or replace any writable file on the host, leading to data leakage or corruption.

Generated by OpenCVE AI on June 25, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HTMLy CMS to a patched version (any release newer than 3.1.1 that removes the traversal bug).
  • If an immediate upgrade is not possible, remove or restrict the admin autosave functionality so the "oldfile" parameter cannot be accessed.
  • Limit the web‑server’s write permissions to directories that should not be modifiable, and consider enforcing file system ACLs to prevent unintended file relocation.

Generated by OpenCVE AI on June 25, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint. Attackers can pass unsanitized traversal sequences directly to file_exists() and rename() functions in admin.php without canonicalization or directory boundary enforcement to cause unintended relocation of any file writable by the web server process to an attacker-specified draft location.
Title HTMLy CMS 3.1.1 Path Traversal via oldfile Parameter in Autosave
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T15:50:00.181Z

Reserved: 2026-05-11T14:14:49.612Z

Link: CVE-2026-45233

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T17:30:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')