Input validation error in Craft CMS - CVE-2024-52291
Published: November 13, 2024 / Updated: April 17, 2026
Vulnerability identifier: #VU126473
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-52291
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pixel & Tonic, Inc.
Affected software:
Craft CMS
Craft CMS
Detailed vulnerability description
The vulnerability allows a remote user to overwrite files, access sensitive files, and potentially execute arbitrary code.
The vulnerability exists due to improper input validation in FileHelper::normalizePath() when processing file system base path values containing a double file:// scheme. A remote privileged user can configure a crafted file system path and upload files to overwrite files, access sensitive files, and potentially execute arbitrary code.
User interaction is required, and exploitation requires an authenticated administrator account with allowAdminChanges enabled.
How to mitigate CVE-2024-52291
Install security update from vendor's website.