EUVD-2026-12503
GHSA-472v-j2g4-g9h2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4Tags
Description
The `AssetsController->replaceFile()` method has a `targetFilename` body parameter that is used unsanitized in a `deleteFile()` call before `Assets::prepareAssetName()` is applied on save. This allows an authenticated user with `replaceFiles` permission to delete arbitrary files within the same filesystem root by injecting `../` path traversal sequences into the filename. This could allow an authenticated user with `replaceFiles` permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. Users should update to Craft 4.17.5 or 5.9.11 to mitigate the issue.
Analysis
Path traversal in Craft CMS AssetsController allows authenticated users with replaceFiles permission to delete arbitrary files on local filesystems by injecting directory traversal sequences into the targetFilename parameter, potentially affecting files across multiple volumes sharing the same filesystem root. The vulnerability exists because user input is processed by deleteFile() before proper sanitization is applied. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review file handling controls.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today