Main Vulnerability Database Vulnerabilities #VU134663

Path traversal in Craft CMS - CVE-2026-32262

Published: June 16, 2026

Vulnerability identifier: #VU134663

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32262

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Pixel & Tonic, Inc.

Affected software:
Craft CMS

Detailed vulnerability description

The vulnerability allows a remote user to delete arbitrary files within the same filesystem root.

The vulnerability exists due to path traversal in AssetsController->replaceFile() when processing the targetFilename body parameter. A remote user can inject ../ sequences into the filename to delete arbitrary files within the same filesystem root.

This only affects local filesystems and can impact other folders or volumes that share the same filesystem root.

How to mitigate CVE-2026-32262

Install security update from vendor's website.

Path traversal in Craft CMS - CVE-2026-32262

Detailed vulnerability description

How to mitigate CVE-2026-32262

Sources

Please verify you're human