CVE-2026-32731

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-32731
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32731.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32731
Aliases
Published
2026-03-18T22:03:25.682Z
Modified
2026-04-10T05:43:03.653021Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction
Details

ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of @apostrophecms/import-export, The extract() function in gzip.js constructs file-write paths using fs.createWriteStream(path.join(exportPath, header.name)). path.join() does not resolve or sanitise traversal segments such as ../. It concatenates them as-is, meaning a tar entry named ../../evil.js resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted .tar.gz file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of @apostrophecms/import-export fixes the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32731.json"
}
References

Affected packages

Git / github.com/apostrophecms/apostrophe

Affected ranges

Type
GIT
Repo
https://github.com/apostrophecms/apostrophe
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
7e607c9fe1605764144bdc9f529961d5738e7ea2
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.5.3"
        }
    ]
}

Affected versions

0.*
0.1.1
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.3.0
0.3.1
0.3.10
0.3.11
0.3.12
0.3.15
0.3.16
0.3.18
0.3.19
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.4.1
0.4.10
0.4.100
0.4.101
0.4.102
0.4.104
0.4.11
0.4.110
0.4.111
0.4.112
0.4.113
0.4.114
0.4.115
0.4.116
0.4.117
0.4.118
0.4.119
0.4.12
0.4.120
0.4.121
0.4.122
0.4.123
0.4.124
0.4.125
0.4.13
0.4.14
0.4.15
0.4.16
0.4.18
0.4.184
0.4.19
0.4.2
0.4.20
0.4.21
0.4.22
0.4.23
0.4.24
0.4.25
0.4.26
0.4.27
0.4.28
0.4.29
0.4.3
0.4.30
0.4.31
0.4.32
0.4.33
0.4.34
0.4.35
0.4.37
0.4.4
0.4.40
0.4.41
0.4.42
0.4.43
0.4.44
0.4.45
0.4.46
0.4.47
0.4.5
0.4.51
0.4.52
0.4.53
0.4.54
0.4.55
0.4.57
0.4.58
0.4.59
0.4.6
0.4.60
0.4.61
0.4.62
0.4.63
0.4.64
0.4.65
0.4.66
0.4.67
0.4.68
0.4.69
0.4.7
0.4.70
0.4.71
0.4.72
0.4.73
0.4.74
0.4.75
0.4.8
0.4.82
0.4.83
0.4.84
0.4.85
0.4.86
0.4.87
0.4.88
0.4.89
0.4.90
0.4.91
0.4.92
0.4.93
0.4.94
0.4.95
0.4.96
0.4.97
0.4.98
0.4.99
0.5.0
0.5.1
0.5.10
0.5.100
0.5.102
0.5.103
0.5.104
0.5.106
0.5.107
0.5.108
0.5.109
0.5.111
0.5.113
0.5.115
0.5.116
0.5.117
0.5.12
0.5.120
0.5.121
0.5.124
0.5.125
0.5.126
0.5.127
0.5.128
0.5.13
0.5.130
0.5.131
0.5.133
0.5.134
0.5.135
0.5.136
0.5.138
0.5.14
0.5.141
0.5.142
0.5.143
0.5.144
0.5.145
0.5.146
0.5.148
0.5.149
0.5.150
0.5.151
0.5.155
0.5.156
0.5.157
0.5.158
0.5.159
0.5.16
0.5.165
0.5.167
0.5.168
0.5.169
0.5.17
0.5.178
0.5.179
0.5.180
0.5.181
0.5.183
0.5.187
0.5.188
0.5.189
0.5.19
0.5.190
0.5.191
0.5.192
0.5.193
0.5.194
0.5.197
0.5.198
0.5.199
0.5.2
0.5.20
0.5.201
0.5.202
0.5.203
0.5.204
0.5.205
0.5.206
0.5.207
0.5.208
0.5.21
0.5.213
0.5.215
0.5.216
0.5.217
0.5.218
0.5.219
0.5.22
0.5.221
0.5.222
0.5.223
0.5.224
0.5.226
0.5.227
0.5.228
0.5.229
0.5.23
0.5.230
0.5.24
0.5.240
0.5.241
0.5.242
0.5.244
0.5.245
0.5.246
0.5.247
0.5.248
0.5.249
0.5.25
0.5.250
0.5.251
0.5.252
0.5.253
0.5.254
0.5.26
0.5.269
0.5.27
0.5.270
0.5.271
0.5.272
0.5.273
0.5.275
0.5.276
0.5.278
0.5.279
0.5.28
0.5.280
0.5.281
0.5.282
0.5.283
0.5.284
0.5.285
0.5.286
0.5.287
0.5.288
0.5.29
0.5.290
0.5.291
0.5.292
0.5.293
0.5.294
0.5.296
0.5.297
0.5.298
0.5.3
0.5.30
0.5.300
0.5.301
0.5.302
0.5.303
0.5.305
0.5.307
0.5.308
0.5.309
0.5.31
0.5.310
0.5.311
0.5.312
0.5.32
0.5.327
0.5.328
0.5.33
0.5.330
0.5.331
0.5.332
0.5.333
0.5.336
0.5.337
0.5.338
0.5.339
0.5.34
0.5.340
0.5.343
0.5.344
0.5.345
0.5.346
0.5.347
0.5.348
0.5.349
0.5.35
0.5.350
0.5.351
0.5.352
0.5.353
0.5.354
0.5.355
0.5.356
0.5.357
0.5.358
0.5.359
0.5.36
0.5.360
0.5.361
0.5.362
0.5.363
0.5.364
0.5.365
0.5.366
0.5.367
0.5.368
0.5.369
0.5.37
0.5.370
0.5.371
0.5.372
0.5.373
0.5.374
0.5.375
0.5.376
0.5.377
0.5.378
0.5.379
0.5.38
0.5.380
0.5.381
0.5.382
0.5.383
0.5.384
0.5.39
0.5.4
0.5.40
0.5.43
0.5.44
0.5.45
0.5.47
0.5.48
0.5.5
0.5.50
0.5.51
0.5.52
0.5.55
0.5.56
0.5.57
0.5.58
0.5.59
0.5.6
0.5.60
0.5.61
0.5.63
0.5.64
0.5.65
0.5.67
0.5.68
0.5.69
0.5.7
0.5.70
0.5.71
0.5.75
0.5.76
0.5.77
0.5.78
0.5.79
0.5.8
0.5.82
0.5.84
0.5.85
0.5.86
0.5.88
0.5.89
0.5.9
0.5.90
0.5.91
0.5.92
0.5.93
0.5.94
0.5.95
0.5.96
0.5.97
0.5.98
0.5.99
2.*
2.0.1
2.0.2
2.0.3
2.0.4
2.1.1
2.1.2
2.1.3
2.10.0
2.10.1
2.10.2
2.10.3
2.11.0
2.12.0
2.13.0
2.13.1
2.13.2
2.14.0
2.14.1
2.14.2
2.15.0
2.15.1
2.15.2
2.16.0
2.16.1
2.17.0
2.17.1
2.17.2
2.18.0
2.18.1
2.18.2
2.19.0
2.19.1
2.20.1
2.20.2
2.20.3
2.22.0
2.23.0
2.23.1
2.23.2
2.24.0
2.25.0
2.25.1
2.26.0
2.26.1
2.27.0
2.27.1
2.28.0
2.29.0
2.29.1
2.29.2
2.30.0
2.31.0
2.31.1
2.32.0
2.33.0
2.33.1
2.34.0
2.34.1
2.34.2
2.34.3
2.35.0
2.35.1
2.36.0
2.36.1
2.36.2
2.36.3
2.38.0
2.39.0
2.39.1
2.39.2
2.40.0
2.41.0
2.42.0
2.42.1
2.43.0
2.44.0
2.45.0
2.46.0
2.46.1
2.47.0
2.48.0
2.49.0
2.50.0
2.51.0
2.51.1
2.52.0
2.53.0
2.54.0
2.54.1
2.54.2
2.54.3
2.55.0
2.56.0
2.57.0
2.58.0
2.59.0
2.59.1
2.6.1
2.6.2
2.60.0
2.60.1
2.60.2
2.60.3
2.60.4
2.62.0
2.63.0
2.64.0
2.64.1
2.65.0
2.66.0
2.67.0
2.7.0
2.8.0
2.9.0
2.9.1
2.9.2
3.*
3.0.0
3.0.0-alpha.1
3.0.0-alpha.2
3.0.0-alpha.3
3.0.0-alpha.4
3.0.0-alpha.4.2
3.0.0-alpha.5
3.0.0-alpha.6.1
3.0.0-alpha.7
3.0.0-beta.1
3.0.0-beta.1.1
3.0.0-beta.2
3.0.0-beta.3
3.0.1
3.1.0
3.1.2
3.11.0
3.12.0
3.13.0
3.14.0
3.14.1
3.14.2
3.15.0
3.16.0
3.16.1
3.17.0
3.18.0
3.19.0
3.2.0
3.21.0
3.22.0
3.23.0
3.24.0
3.25.0
3.26.0
3.26.1
3.27.0
3.28.0
3.28.1
3.29.0
3.3.0
3.30.0
3.31.0
3.32.0
3.33.0
3.34.0
3.35.0
3.36.0
3.37.0
3.38.0
3.38.1
3.39.0
3.39.2
3.4.0
3.4.1
3.40.0
3.40.1
3.41.1
3.42.0
3.43.0
3.44.0
3.45.0
3.46.0
3.47.0
3.48.0
3.49.0
3.5.0
3.50.0
3.51.0
3.51.1
3.52.0
3.53.0
3.54.0
3.55.0
3.56.0
3.57.0
3.58.0
3.58.1
3.59.0
3.6.0
3.60.0
3.60.1
3.61.0
3.62.0
3.63.1
3.7.0
3.8.0
3.8.1
3.9.0
4.*
4.0.0
4.1.0
4.1.1
4.10.0
4.11.0
4.11.2
4.12.0
4.13.0
4.14.0
4.15.0
4.16.0
4.17.0
4.17.1
4.18.0
4.19.0
4.2.0
4.20.0
4.21.0
4.22.0
4.23.0
4.24.0
4.3.0
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.5.2
4.5.3
4.6.0
4.7.0
4.8.0
4.9.0
@apostrophecms/ai-helper@1.*
@apostrophecms/ai-helper@1.0.0-beta.11
@apostrophecms/apostrophe-astro@1.*
@apostrophecms/apostrophe-astro@1.8.0
@apostrophecms/apostrophe-astro@1.9.0
@apostrophecms/cli@3.*
@apostrophecms/cli@3.6.0
@apostrophecms/form@1.*
@apostrophecms/form@1.5.3
@apostrophecms/import-export@3.*
@apostrophecms/import-export@3.5.1
@apostrophecms/import-export@3.5.2
@apostrophecms/login-totp@1.*
@apostrophecms/login-totp@1.3.3
@apostrophecms/openapi-generator@1.*
@apostrophecms/openapi-generator@1.0.0
@apostrophecms/seo@1.*
@apostrophecms/seo@1.4.0
apostrophe@4.*
apostrophe@4.25.0
apostrophe@4.26.0
apostrophecms-openapi@1.*
apostrophecms-openapi@1.1.0
postcss-viewport-to-container-toggle@2.*
postcss-viewport-to-container-toggle@2.2.0
sanitize-html@2.*
sanitize-html@2.17.1
v0.*
v0.4.68

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32731.json"