DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-C43V-4CR8-6MVP: GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper

GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper

Vulnerability ID: GHSA-C43V-4CR8-6MVP
CVSS Score: 6.5
Published: 2026-07-09

An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.

TL;DR

Authenticated path traversal in Craft CMS allows reading local SVG files and executing Stored XSS via malicious file paths.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network
  • CVSS Score: 6.5 (Medium)
  • EPSS Score: N/A (No CVE assigned)
  • Impact: Local File Read & Stored Cross-Site Scripting (XSS)
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed

Affected Systems

  • Craft CMS 4.x installations <= 4.17.6
  • Craft CMS: >= 4.0.0, <= 4.17.6 (Fixed in: 4.17.7)

Code Analysis

Commit: 30f5f1a

Enforce strict extension validation in Assets helper to block path traversal in icon path resolution

@@ -886,6 +886,10 @@ public static function downloadFile(BaseFsInterface $fs, string $uriPath, string
      */
     public static function iconUrl(string $extension): string
     {
+        if (!preg_match('/^\w+$/', $extension)) {
+            throw new InvalidArgumentException("$extension isn’t a valid file extension.");
+        }
+
         return UrlHelper::actionUrl('assets/icon', [
             'extension' => $extension,
         ]);
@@ -901,6 +905,10 @@ public static function iconUrl(string $extension): string
      */
     public static function iconPath(string $extension): string
     {
+        if (!preg_match('/^\w+$/', $extension)) {
+            throw new InvalidArgumentException("$extension isn’t a valid file extension.");
+        }
+
         $path = sprintf('%s%s%s.svg', Craft::$app->getPath()->getAssetsIconsPath(), DIRECTORY_SEPARATOR, strtolower($extension));
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Craft CMS to version 4.17.7 or later to implement server-side path validation.
  • Configure Web Application Firewall rules to detect and drop requests containing directory traversal sequences in the query parameters.
  • Deploy restrictive Content Security Policies to prevent execution of inline scripts within SVG files inside the browser context.

Remediation Steps:

  1. Identify active installations of Craft CMS utilizing the command 'composer show craftcms/cms'.
  2. Execute 'composer update craftcms/cms' to pull the patched version 4.17.7.
  3. Clear application caches using './craft clear-caches/all' to ensure updated helper logic is enforced immediately.
  4. Audit standard user upload directories for unauthorized or suspicious SVG files containing script blocks.

References


Read the full report for GHSA-C43V-4CR8-6MVP on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)