CVE Catalog

CVE-2026-56394

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

25th percentile — higher than 25% of all known CVEs

Summary

Craft CMS version 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.

Risk Assessment

This vulnerability may lead to unauthorized access to local files, posing a risk of sensitive data exposure within the organization.

Recommendation

It is recommended to update Craft CMS to the latest version that addresses this vulnerability and to implement additional parameter validation mechanisms in endpoints.

Original NVD description (English source)

Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS