CVE-2026-56394

Source
https://cve.org/CVERecord?id=CVE-2026-56394
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56394.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-56394
Aliases
Published
2026-06-21T13:27:02.445Z
Modified
2026-07-08T08:13:47.021370211Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Craft CMS - Authenticated Path Traversal in assets/icon Extension Parameter
Details

Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/56xxx/CVE-2026-56394.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/craftcms/cms

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/cms
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.17.7"
        },
        {
            "introduced": "5.0.0-RC1"
        },
        {
            "fixed": "5.9.13"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-56394.json"