CVE-2026-56394
Craft CMS - Authenticated Path Traversal in assets/icon Extension Parameter
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
| CWE | CWE-22 |
| Vendor | craftcms |
| Product | cms |
| Published | Jun 21, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms cms
Be the first to know when new medium vulnerabilities affecting craftcms cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
craftcms / cms
4.0.0-RC1 < 4.17.7 5.0.0-RC1 < 5.9.13
References
github.com: https://github.com/craftcms/cms/security/advisories/GHSA-c43v-4cr8-6mvp github.com: https://github.com/craftcms/cms/commit/30f5f1a8d6edf0f3a00be72c42c78d9dc7d72d5c vulncheck.com: https://www.vulncheck.com/advisories/craft-cms-authenticated-path-traversal-in-assets-icon-extension-parameter
Credits
๐ GCXWLP