Skip to main content

Typemill CVE-2026-49133

HIGH
Path Traversal (CWE-22)
2026-06-17 VulnCheck
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable API with Author-level auth required (PR:L), no user interaction, deterministic traversal (AC:L); arbitrary file read yields high confidentiality only, no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 21:30 vuln.today
Analysis Generated
Jun 17, 2026 - 21:30 vuln.today

DescriptionCVE.org

Typemill before 2.24.0 contains a path traversal vulnerability that allows authenticated attackers with Author-level privileges to read arbitrary files outside the content directory by supplying traversal sequences in the path query parameter passed to Storage::getFile() with an empty folder argument. Attackers can bypass traversal-prevention controls in Storage::getFolderPath() to access sensitive files.

AnalysisAI

Arbitrary file read in Typemill before 2.24.0 allows authenticated Author-level users to traverse outside the content directory by injecting traversal sequences in the path query parameter when the folder argument is empty, defeating sanitization in Storage::getFolderPath(). Reported by VulnCheck with a vendor patch shipped in 2.24.0/2.24.2; no public exploit identified at time of analysis, and the CVSS 4.0 base score of 7.1 reflects high confidentiality impact with low-privilege network access.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Author-level credentials
Delivery
Authenticate to Typemill API
Exploit
Send getPageMedia request with empty folder and ../ path
Execution
Bypass Storage::getFolderPath() checks
Persist
Read arbitrary file via Storage::getFile()
Impact
Harvest secrets/hashes for escalation

Vulnerability AssessmentAI

Exploitation Requires a valid Author-level (or higher) Typemill account and network reachability to the Typemill admin/API surface on a vulnerable instance running a version prior to 2.24.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) accurately captures a network-reachable, low-complexity authenticated read primitive with high confidentiality impact and no integrity or availability impact, scoring 7.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains or self-registers an Author-level account (for example on a Typemill site with open author signup or via a phished/reused credential) logs in, then issues an authenticated API request to the page-media endpoint with folder= empty and path=../../../../etc/passwd (or path traversal to the site's settings YAML containing API keys and the user database). The server resolves the file outside the content directory and returns its contents, giving the attacker offline-crackable password hashes or secrets to escalate to admin or pivot to other services; no public exploit identified at time of analysis, but the bug class is well understood and trivially reproducible from the description.
Remediation Upgrade to Typemill 2.24.0 or, preferably, 2.24.2 which bundles this fix together with patches for password-reset poisoning, 2FA brute force, and unique-user issues (release notes at https://github.com/typemill/typemill/releases/tag/v2.24.2; fix commit bfbb27001acd5c56ad62166dbefe6a59798cf1c0). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Typemill deployments and audit users with Author-level or higher privileges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy