CVE-2026-56394

Summary

Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.

Affected Software

VendorProductVersion RangeStatus
craftcmscms4.0.0-RC1 < 4.17.7affected
craftcmscms4.17.7unaffected
craftcmscms5.0.0-RC1 < 5.9.13affected
craftcmscms5.9.13unaffected

Weaknesses

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References