CVE-2026-56394
published 2026-06-21CVE-2026-56394: Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated…
PriorityP341medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.34%
25.4th percentile
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | >= 4.0.0-RC1 < 4.17.7 | 4.17.7 |
| craftcms | cms | >= 5.0.0-RC1 < 5.9.13 | 5.9.13 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Craft CMS up to 4.17.6/5.9.12 SVG File path traversal (GHSA-c43v-4cr8-6mvp / EUVD-2026-38160)
vuldb·2026-06-21·CVSS 6.5
CVE-2026-56394 [MEDIUM] Craft CMS up to 4.17.6/5.9.12 SVG File path traversal (GHSA-c43v-4cr8-6mvp / EUVD-2026-38160)
A vulnerability categorized as critical has been discovered in Craft CMS up to 4.17.6/5.9.12. Affected is an unknown function of the component SVG File Handler. Executing a manipulation can lead to path traversal.
This vulnerability is handled as CVE-2026-56394. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks.
ghsa_unreviewed·2026-06-21
CVE-2026-56394 [HIGH] CWE-22 Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks.
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-21
Published