CVE-2026-32262

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.4 Craft CMS versions 5.0.0-RC1 through 5.9.10

Description Craft CMS is a content management system. The AssetsController->replaceFile() method uses the targetFilename body parameter without proper sanitization in a deleteFile() call before Assets::prepareAssetName() is applied during saving. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename. This could allow a user with replaceFiles permission on one volume to delete files in other folders or volumes sharing the same filesystem root. This issue only affects local filesystems. The vulnerable method is AssetsController->replaceFile(), and the vulnerable parameter is targetFilename.

Recommendations Craft CMS versions 4.0.0-RC1 through 4.17.4 should be updated to version 4.17.5 or later. Craft CMS versions 5.0.0-RC1 through 5.9.10 should be updated to version 5.9.11 or later.