CVE-2026-49133 – Typemill < 2.24.0 Path Traversal via ControllerApiImage::getPagemedia()

CVE ID :CVE-2026-49133

Published : June 17, 2026, 8:39 p.m. | 1 hour, 2 minutes ago

Description :Typemill before 2.24.0 contains a path traversal vulnerability that allows authenticated attackers with Author-level privileges to read arbitrary files outside the content directory by supplying traversal sequences in the path query parameter passed to Storage::getFile() with an empty folder argument. Attackers can bypass traversal-prevention controls in Storage::getFolderPath() to access sensitive files.

Severity: 7.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…