Impact
Craft CMS versions from 4.0.0‑RC1 onward are vulnerable to an authenticated path traversal flaw in the assets/icon endpoint. The extension parameter is not validated before file existence checks, so an attacker can inject traversal sequences that resolve to existing SVG files. This allows the attacker to read arbitrary files on the server that the Craft CMS process can access, exposing sensitive data such as configuration files or system credentials. The weakness is classified as CWE‑22, which indicates improper handling of file path values.
Affected Systems
All installations of Craft CMS from version 4.0.0‑RC1 forward that have not applied the fix from commit 30f5f1a8d6edf0f3a00be72c42c78d9dc7d72d5c or the corresponding patch advisory. The vulnerability is available to users with authenticated access to the assets/icon endpoint.
Risk and Exploitability
The CVSS score of 7.1 signals a high severity impact. No EPSS data is available, and the issue is not listed in the CISA KEV catalog, but the vulnerability can be exploited remotely via HTTP requests to the assets/icon endpoint. Successful exploitation requires only that the attacker be authenticated to the site, after which arbitrary file reading can occur based on the web server's file permissions.
OpenCVE Enrichment