Loading market data...
← Back to CVE feed

CVE-2026-56394

MEDIUM CVSS 6.5 View on NVD ↗

Description

Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Published: Jun 21, 2026 14:16 UTC Modified: Jun 21, 2026 14:16 UTC