CVE-2026-32731
CVE-2026-32731 affects ApostropheCMS via the @apostrophecms/import-export gzip extractor. The extract(filepath, exportPath) uses fs.createWriteStream(path.join(exportPath, header.name)) without sanitising path traversal, allowing Zip Slip if a crafted .tar.gz is uploaded by a user with Global Con...