Primary

Context

Craft CMS Path Traversal Vulnerability in Assets Controller Allowing Arbitrary File Deletion

Vulnerability

Patched

A path traversal vulnerability has been identified in Craft CMS versions 4.0.0-RC1 prior to 4.17.5 and 5.0.0-RC1 prior to 5.9.11. The issue arises in the AssetsController's replaceFile() method, where the targetFilename parameter is used in a deleteFile() call without proper sanitization. This vulnerability allows authenticated users with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. Exploitation could enable deletion of files in different folders or volumes that share the same filesystem root, but only on local filesystems.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of files within the same filesystem root, potentially affecting multiple folders or volumes.

Remediation

Users are advised to update Craft CMS to version 4.17.5 or 5.9.11.

Added: Mar 16, 2026, 9:06 PM

Updated: Mar 16, 2026, 9:06 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.7

remediation

7.7

relevance

4.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.7

remediation

7.7

relevance

4.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Craft CMS Path Traversal Vulnerability in Assets Controller Allowing Arbitrary File Deletion

Vulnerability

Impact

Remediation

Affected Products

Craft CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating