CVE-2026-24749

Name of the Vulnerable Software and Affected Versions Silverstripe Assets Module versions prior to 2.4.5 Silverstripe Assets Module versions 3.0.0-rc1 through 3.1.2

Description Images rendered in templates or accessed via 'DBFile::getURL()' or 'DBFile::getSourceURL()' incorrectly add an access grant to the current session, allowing the bypass of file permissions. This typically occurs during the creation of an image variant, such as when using manipulation methods like ScaleWidth() or Convert(). Additionally, if DBFile is used in the $db configuration for a DataObject class that does not subclass File and visibility is set to protected, those files require an explicit access grant for access.

Recommendations Update to version 2.4.5 Update to version 3.1.3 Set file visibility to public if explicit access grants are not desired for files using DBFile in a DataObject class that does not subclass File.