CVE-2026-32262
published 2026-03-16CVE-2026-32262: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the…
PriorityP428medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.29%
20.7th percentile
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 4.0.0-RC1 < 4.17.5 | 4.17.5 |
| craftcms | cms | >= 5.0.0-RC1 < 5.9.11 | 5.9.11 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | >= 4.0.0.1 < 4.17.5 | 4.17.5 |
| craftcms | craft_cms | >= 5.0.1 < 5.9.11 | 5.9.11 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS has a Path Traversal Vulnerability in AssetsController
osv·2026-03-16
CVE-2026-32262 [MEDIUM] Craft CMS has a Path Traversal Vulnerability in AssetsController
Craft CMS has a Path Traversal Vulnerability in AssetsController
The `AssetsController->replaceFile()` method has a `targetFilename` body parameter that is used unsanitized in a `deleteFile()` call before `Assets::prepareAssetName()` is applied on save. This allows an authenticated user with `replaceFiles` permission to delete arbitrary files within the same filesystem root by injecting `../` path traversal sequences into the filename.
This could allow an authenticated user with `replaceFiles` permission on one volume to delete files in other folders/volumes that share the same filesystem root.
This only affects local filesystems.
Users should update to Craft 4.17.5 or 5.9.11 to mitigate the issue.
GHSA
Craft CMS has a Path Traversal Vulnerability in AssetsController
ghsa·2026-03-16
CVE-2026-32262 [MEDIUM] CWE-22 Craft CMS has a Path Traversal Vulnerability in AssetsController
Craft CMS has a Path Traversal Vulnerability in AssetsController
The `AssetsController->replaceFile()` method has a `targetFilename` body parameter that is used unsanitized in a `deleteFile()` call before `Assets::prepareAssetName()` is applied on save. This allows an authenticated user with `replaceFiles` permission to delete arbitrary files within the same filesystem root by injecting `../` path traversal sequences into the filename.
This could allow an authenticated user with `replaceFiles` permission on one volume to delete files in other folders/volumes that share the same filesystem root.
This only affects local filesystems.
Users should update to Craft 4.17.5 or 5.9.11 to mitigate the issue.
No detection rules found.
No public exploits indexed.
2026-03-16
Published