Description
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
Published: 2026-06-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Craft CMS versions from 4.0.0‑RC1 onward are vulnerable to an authenticated path traversal flaw in the assets/icon endpoint. The extension parameter is not validated before file existence checks, so an attacker can inject traversal sequences that resolve to existing SVG files. This allows the attacker to read arbitrary files on the server that the Craft CMS process can access, exposing sensitive data such as configuration files or system credentials. The weakness is classified as CWE‑22, which indicates improper handling of file path values.

Affected Systems

All installations of Craft CMS from version 4.0.0‑RC1 forward that have not applied the fix from commit 30f5f1a8d6edf0f3a00be72c42c78d9dc7d72d5c or the corresponding patch advisory. The vulnerability is available to users with authenticated access to the assets/icon endpoint.

Risk and Exploitability

The CVSS score of 7.1 signals a high severity impact. No EPSS data is available, and the issue is not listed in the CISA KEV catalog, but the vulnerability can be exploited remotely via HTTP requests to the assets/icon endpoint. Successful exploitation requires only that the attacker be authenticated to the site, after which arbitrary file reading can occur based on the web server's file permissions.

Generated by OpenCVE AI on June 21, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Craft CMS patch that validates the extension parameter before checking file existence; the relevant security advisory refers to commit 30f5f1a8d6edf0f3a00be72c42c78d9dc7d72d5c.
  • Configure the web server or application to strip any path traversal characters from the extension value and to enforce that only .svg files are served by the assets/icon route, effectively rejecting any traversal sequences.
  • Restrict the file permissions of the directories accessed by Craft CMS so that the web application process cannot read sensitive system or configuration files; ensure files such as /etc/passwd and other critical directories are not world‑readable by the web server.

Generated by OpenCVE AI on June 21, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 23 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
Title Craft CMS - Authenticated Path Traversal in assets/icon Extension Parameter
First Time appeared Juzaweb
Juzaweb cms
Weaknesses CWE-22
CPEs cpe:2.3:a:juzaweb:cms:*:*:*:*:*:*:*:*
Vendors & Products Juzaweb
Juzaweb cms
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T13:34:34.446Z

Reserved: 2026-06-21T12:37:58.434Z

Link: CVE-2026-56394

cve-icon Vulnrichment

Updated: 2026-06-23T13:34:27.699Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:13Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')