#VU126473 Input validation error in Craft CMS - CVE-2024-52291
Published: November 13, 2024 / Updated: April 17, 2026
Vulnerability identifier: #VU126473
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-52291
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Craft CMS
Craft CMS
Software vendor:
Pixel & Tonic, Inc.
Pixel & Tonic, Inc.
Description
The vulnerability allows a remote user to overwrite files, access sensitive files, and potentially execute arbitrary code.
The vulnerability exists due to improper input validation in FileHelper::normalizePath() when processing file system base path values containing a double file:// scheme. A remote privileged user can configure a crafted file system path and upload files to overwrite files, access sensitive files, and potentially execute arbitrary code.
User interaction is required, and exploitation requires an authenticated administrator account with allowAdminChanges enabled.
Remediation
Install security update from vendor's website.