CVE-2026-56394

CVE-2026-56394CVE-2026-56394

Description

Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.

Scoring

CVSS 6.5 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Last modified2026-06-21
Sourced from NVD. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.