Craft CMS – Authenticated Path Traversal in assets/icon Extension Parameter

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.

Basic Information

ID CVE-2026-56394

Source VulnCheck

Published Jun 21, 2026 at 13:27

Affected Product

Vendor craftcms

Product cms

Version 4.0.0-RC1

Affected Versions craftcms cms 4.0.0-RC1
craftcms cms 5.0.0-RC1

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.",
    "published": "2026-06-21T13:27:02.445Z",
    "modified": "2026-06-21T13:27:02.445Z",
    "type": "cve",
    "title": "Craft CMS - Authenticated Path Traversal in assets/icon Extension Parameter",
    "source": "VulnCheck",
    "references": "https://github.com/craftcms/cms/security/advisories/GHSA-c43v-4cr8-6mvp\nhttps://github.com/craftcms/cms/commit/30f5f1a8d6edf0f3a00be72c42c78d9dc7d72d5c\nhttps://www.vulncheck.com/advisories/craft-cms-authenticated-path-traversal-in-assets-icon-extension-parameter",
    "id": "CVE-2026-56394",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "craftcms cms 4.0.0-RC1\ncraftcms cms 5.0.0-RC1",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": "4.0.0-RC1",
    "vendor": "craftcms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Craft CMS – Authenticated Path Traversal in assets/icon Extension Parameter_CVE-2026-56394