GHSA-472v-j2g4-g9h2

Source

https://github.com/advisories/GHSA-472v-j2g4-g9h2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-472v-j2g4-g9h2/GHSA-472v-j2g4-g9h2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-472v-j2g4-g9h2

Aliases

CVE-2026-32262

Published

2026-03-16T18:11:49Z

Modified

2026-03-16T22:02:17.568284Z

Severity

5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Craft CMS has a Path Traversal Vulnerability in AssetsController

Details

The AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename.

This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root.

This only affects local filesystems.

Users should update to Craft 4.17.5 or 5.9.11 to mitigate the issue.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2026-03-16T18:11:49Z",
    "nvd_published_at": "2026-03-16T20:16:19Z",
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0-RC1

Fixed

4.17.5

Affected versions

4.*

4.0.0-RC1

4.0.0-RC2

4.0.0-RC3

4.0.0

4.0.0.1

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.5.1

4.0.5.2

4.0.6

4.1.0

4.1.0.1

4.1.0.2

4.1.1

4.1.2

4.1.3

4.1.4

4.1.4.1

4.2.0

4.2.0.1

4.2.0.2

4.2.1

4.2.1.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.5.2

4.2.6

4.2.7

4.2.8

4.3.0

4.3.1

4.3.2

4.3.2.1

4.3.3

4.3.4

4.3.5

4.3.6

4.3.6.1

4.3.7

4.3.7.1

4.3.8

4.3.8.1

4.3.8.2

4.3.9

4.3.10

4.3.11

4.4.0-beta.1

4.4.0-beta.2

4.4.0-beta.3

4.4.0-beta.4

4.4.0-beta.5

4.4.0-beta.6

4.4.0-beta.7

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.6.1

4.4.7

4.4.7.1

4.4.8

4.4.9

4.4.10

4.4.10.1

4.4.11

4.4.12

4.4.13

4.4.14

4.4.15

4.4.16

4.4.16.1

4.4.17

4.5.0-beta.1

4.5.0-beta.2

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.6.1

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.11.1

4.5.12

4.5.13

4.5.14

4.5.15

4.6.0-RC1

4.6.0

4.6.1

4.7.0

4.7.1

4.7.2

4.7.2.1

4.7.3

4.7.4

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.8.6

4.8.7

4.8.8

4.8.9

4.8.10

4.8.11

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.10.0-beta.1

4.10.0-beta.2

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.10.8

4.11.0

4.11.0.1

4.11.0.2

4.11.1

4.11.2

4.11.3

4.11.4

4.11.5

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.4.1

4.12.5

4.12.6

4.12.6.1

4.12.7

4.12.8

4.12.9

4.13.0

4.13.1

4.13.1.1

4.13.2

4.13.3

4.13.4

4.13.5

4.13.6

4.13.7

4.13.8

4.13.9

4.13.10

4.14.0

4.14.0.1

4.14.0.2

4.14.1

4.14.2

4.14.3

4.14.4

4.14.5

4.14.6

4.14.7

4.14.8

4.14.8.1

4.14.9

4.14.10

4.14.11

4.14.11.1

4.14.12

4.14.13

4.14.14

4.14.15

4.15.0-beta.1

4.15.0-beta.2

4.15.0

4.15.0.1

4.15.0.2

4.15.1

4.15.2

4.15.3

4.15.4

4.15.5

4.15.6

4.15.6.1

4.15.6.2

4.15.7

4.16.0

4.16.1

4.16.2

4.16.3

4.16.4

4.16.5

4.16.6

4.16.6.1

4.16.7

4.16.8

4.16.9

4.16.9.1

4.16.10

4.16.11

4.16.12

4.16.13

4.16.14

4.16.15

4.16.16

4.16.17

4.16.18

4.16.19

4.17.0-beta.1

4.17.0-beta.2

4.17.0

4.17.1

4.17.2

4.17.3

4.17.4

Database specific

last_known_affected_version_range

"<= 4.17.4"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-472v-j2g4-g9h2/GHSA-472v-j2g4-g9h2.json"

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-RC1

Fixed

5.9.11

Affected versions

5.*

5.0.0-RC1

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.2.0-beta.1

5.2.0-beta.2

5.2.0-beta.3

5.2.0-beta.4

5.2.0-beta.5

5.2.0-beta.6

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.4.1

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.10

5.3.0-beta.1

5.3.0-beta.2

5.3.0

5.3.0.1

5.3.0.2

5.3.0.3

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.4.0

5.4.0.1

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.4.10

5.4.10.1

5.5.0

5.5.0.1

5.5.1

5.5.1.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.6.1

5.5.7

5.5.8

5.5.9

5.5.10

5.6.0

5.6.0.1

5.6.0.2

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.5.1

5.6.6

5.6.7

5.6.8

5.6.9

5.6.9.1

5.6.10

5.6.10.1

5.6.10.2

5.6.11

5.6.12

5.6.13

5.6.14

5.6.15

5.6.16

5.6.17

5.7.0-beta.1

5.7.0-beta.2

5.7.0

5.7.1

5.7.1.1

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.8.1

5.7.8.2

5.7.9

5.7.10

5.7.11

5.8.0

5.8.1

5.8.2

5.8.3

5.8.4

5.8.5

5.8.6

5.8.7

5.8.8

5.8.9

5.8.10

5.8.11

5.8.12

5.8.13

5.8.13.1

5.8.13.2

5.8.14

5.8.15

5.8.16

5.8.17

5.8.18

5.8.19

5.8.20

5.8.21

5.8.22

5.8.23

5.9.0-beta.1

5.9.0-beta.2

5.9.0

5.9.1

5.9.2

5.9.3

5.9.4

5.9.5

5.9.6

5.9.7

5.9.8

5.9.9

5.9.10

Database specific

last_known_affected_version_range

"<= 5.9.10"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-472v-j2g4-g9h2/GHSA-472v-j2g4-g9h2.json"