Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable assets/icon endpoint exploitable by any authenticated user (PR:L), no user interaction, yields file read (C:H) with no integrity or availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.
AnalysisAI
Authenticated path traversal in Craft CMS (4.0.0-RC1 through 4.17.6 and 5.0.0-RC1 through 5.9.12) allows low-privileged users to read arbitrary SVG files on the server via the assets/icon endpoint's extension parameter, which was passed to file existence checks without validation. No public exploit identified at time of analysis, though VulnCheck published an advisory and the upstream fix is visible in commit 30f5f1a. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must hold valid authenticated credentials for the Craft CMS instance (PR:L - any logged-in user role that can reach the assets/icon controller is sufficient; no admin role required), and the target file must be an existing SVG file reachable on the filesystem from the icon directory via relative traversal. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:L/UI:N with VC:H reflects a network-reachable, low-complexity bug that requires only a low-privileged authenticated session and yields high confidentiality impact (file read) but no integrity or availability impact - the 7.1 score is consistent with a meaningful but bounded exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with any authenticated Craft CMS account (for example a low-privileged content author on a multi-tenant site) sends a request to assets/icon with an extension parameter containing traversal sequences pointing at an SVG file outside the intended icon directory, such as one stored in the application or webroot. The server resolves the path, confirms the file exists, and returns its contents, giving the attacker read access to that SVG. … |
| Remediation | Vendor-released patch: upgrade Craft CMS to 4.17.7 (for the 4.x branch) or 5.9.13 (for the 5.x branch), both of which include commit 30f5f1a8d6edf0f3a00be72c42c78d9dc7d72d5c that adds strict regex validation of the extension parameter in Assets.php; the advisory at https://github.com/craftcms/cms/security/advisories/GHSA-c43v-4cr8-6mvp documents the fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and audit all Craft CMS installations running versions 4.0.0-RC1 through 4.17.6 or 5.0.0-RC1 through 5.9.12. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c
Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl
phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po
Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an
Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex
SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr
Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e
Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi
Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38160
GHSA-jcmp-jxh2-4jc3