CVE-2026-32262

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController->replaceFile() method has a targetFilename body parameter that is used unsanitized in a deleteFile() call before Assets::prepareAssetName() is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow an authenticated user with replaceFiles permission on one volume to delete files in other folders/volumes that share the same filesystem root. This only affects local filesystems. This issue has been patched in versions 4.17.5 and 5.9.11.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11	Patch
https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

17 Mar 2026, 17:56

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
References	~~() https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11 -~~	() https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11 - Patch
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2 -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2 - Patch, Vendor Advisory
First Time		Craftcms Craftcms craft Cms
CPE		cpe:2.3:a:craftcms:craft_cms:::::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::

16 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 20:16

Updated : 2026-03-17 17:56

NVD link : CVE-2026-32262

Mitre link : CVE-2026-32262

CVE.ORG link : CVE-2026-32262

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

4.3 /10