{"id":80870,"date":"2026-06-21T16:57:02","date_gmt":"2026-06-21T13:27:02","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-56394-craft-cms-authenticated-path-traversal-in-assets-icon-extension-parameter\/"},"modified":"2026-06-21T16:57:02","modified_gmt":"2026-06-21T13:27:02","slug":"cve-2026-56394-craft-cms-authenticated-path-traversal-in-assets-icon-extension-parameter","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-56394-craft-cms-authenticated-path-traversal-in-assets-icon-extension-parameter\/","title":{"rendered":"CVE-2026-56394 &#8211; Craft CMS &#8211; Authenticated Path Traversal in assets\/icon Extension Parameter"},"content":{"rendered":"<p>CVE ID :CVE-2026-56394<\/p>\n<p>  Published : June 21, 2026, 1:27 p.m. | 2\u00a0hours, 16\u00a0minutes ago<\/p>\n<p>  Description :Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets\/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, allowing local file read access.<\/p>\n<p>  Severity: 6.5 | MEDIUM<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-56394 Published : June 21, 2026, 1:27 p.m. | 2\u00a0hours, 16\u00a0minutes ago Description :Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets\/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files, &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-80870","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/80870","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=80870"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/80870\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=80870"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=80870"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=80870"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}