3 matches found
CVE-2026-56394
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files,...
CVE-2026-56394
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files,...
PT-2026-51235
Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 and later Description An authenticated path traversal flaw exists in the 'assets/icon' endpoint. The issue occurs because the extension parameter is not validated before the system performs file existence checks. A...