{"cve":{"cve_id":"CVE-2026-56394","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":0.00336,"epss_percentile":0.25264,"epss_as_of":"2026-06-23","description":"Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.","published_at":"2026-06-21T13:27:02.445000Z","last_modified_at":null,"cvss_v3_score":6.5,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","cvss_v3_severity":"MEDIUM","cvss_v4_score":7.1,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","cvss_v4_severity":"HIGH","ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-22"],"nvd_references":["https://github.com/craftcms/cms/security/advisories/GHSA-c43v-4cr8-6mvp","https://github.com/craftcms/cms/commit/30f5f1a8d6edf0f3a00be72c42c78d9dc7d72d5c","https://www.vulncheck.com/advisories/craft-cms-authenticated-path-traversal-in-assets-icon-extension-parameter"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:39.878444Z","updated_at":"2026-06-28T23:30:57.197036Z"},"effective_severity":"HIGH","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"N","value_label":"None"},{"metric":"A","name":"Availability","value":"N","value_label":"None"}]},"cvss_v4_decoded":{"version":"4.0","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"AT","name":"Attack Requirements","value":"N","value_label":"None"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"VC","name":"Confidentiality (Vulnerable System)","value":"H","value_label":"High"},{"metric":"VI","name":"Integrity (Vulnerable System)","value":"N","value_label":"None"},{"metric":"VA","name":"Availability (Vulnerable System)","value":"N","value_label":"None"},{"metric":"SC","name":"Confidentiality (Subsequent System)","value":"N","value_label":"None"},{"metric":"SI","name":"Integrity (Subsequent System)","value":"N","value_label":"None"},{"metric":"SA","name":"Availability (Subsequent System)","value":"N","value_label":"None"}]},"affected":[{"vendor_slug":"craftcms","vendor_name":"craftcms","product_slug":"cms","product_name":"cms","version_start":"4.0.0-RC1","version_start_inclusive":true,"version_end":"4.17.7","version_end_inclusive":false,"cpe23_uri":"cve5:craftcms:cms:4.0.0-RC1:4.17.7"},{"vendor_slug":"craftcms","vendor_name":"craftcms","product_slug":"cms","product_name":"cms","version_start":"4.17.7","version_start_inclusive":true,"version_end":"4.17.7","version_end_inclusive":true,"cpe23_uri":"cve5:craftcms:cms:4.17.7:4.17.7"},{"vendor_slug":"craftcms","vendor_name":"craftcms","product_slug":"cms","product_name":"cms","version_start":"5.0.0-RC1","version_start_inclusive":true,"version_end":"5.9.13","version_end_inclusive":false,"cpe23_uri":"cve5:craftcms:cms:5.0.0-RC1:5.9.13"},{"vendor_slug":"craftcms","vendor_name":"craftcms","product_slug":"cms","product_name":"cms","version_start":"5.9.13","version_start_inclusive":true,"version_end":"5.9.13","version_end_inclusive":true,"cpe23_uri":"cve5:craftcms:cms:5.9.13:5.9.13"}],"exploit_refs":[],"news":[],"references":[{"url":"https://github.com/craftcms/cms/security/advisories/GHSA-c43v-4cr8-6mvp","source_type":"VENDOR_ADVISORY","tags":["advisory"]},{"url":"https://github.com/craftcms/cms/commit/30f5f1a8d6edf0f3a00be72c42c78d9dc7d72d5c","source_type":"PATCH","tags":["patch"]},{"url":"https://www.vulncheck.com/advisories/craft-cms-authenticated-path-traversal-in-assets-icon-extension-parameter","source_type":"VENDOR_ADVISORY","tags":["advisory"]}],"timeline":[{"type":"published","at":"2026-06-21T13:27:02.445000Z","label":"CVE published","source":null},{"type":"cvss_changed","at":"2026-06-28T17:55:42.709123Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:42.709123Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:42.709123Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:42.709123Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:42.709123Z","label":"CVSS score revised","source":"cvelistv5"},{"type":"cvss_changed","at":"2026-06-28T17:55:42.709123Z","label":"CVSS score revised","source":"cvelistv5"}]}