CVE-2026-32731

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 3.5.3 @apostrophecms/import-export versions prior to 3.5.3

Description ApostropheCMS contains a Zip Slip vulnerability in the extract() function within gzip.js. The path.join() function does not sanitize or resolve traversal segments like ../, allowing a crafted .tar.gz file uploaded through the CMS import UI to write attacker-controlled content to any path the Node.js process can access on the host filesystem. This is possible because the function constructs file-write paths without performing a canonical-path check before opening the write stream. Any user with Global Content Modify permission, a role routinely assigned to content editors and site managers, can exploit this issue. The vulnerability allows for arbitrary file write, potentially leading to site defacement, malicious asset injection, persistent backdoors, credential theft, and denial of service. The extract() function is located in packages/import-export/lib/formats/gzip.js lines 132–157. The vulnerability requires the 'Global Content Modify' permission.

Recommendations Update to version 3.5.3 of @apostrophecms/import-export or later.