CVE-2026-45233

HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint. Attackers can pass unsanitized traversal sequences directly to file_exists() and rename() functions in admin.php without canonicalization or directory boundary enforcement to cause unintended relocation of any file writable by the web server process to an attacker-specified draft location.
Configurations

No configuration.

History

25 Jun 2026, 17:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-25 17:16

Updated : 2026-06-25 19:25


NVD link : CVE-2026-45233

Mitre link : CVE-2026-45233

CVE.ORG link : CVE-2026-45233


JSON object : View

Products Affected

No product.

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')