CVE-2026-45233

Name of the Vulnerable Software and Affected Versions HTMLy CMS versions prior to 3.1.2

Description Low-privileged authenticated attackers can relocate arbitrary files by providing directory traversal sequences in the oldfile parameter at the 'admin autosave' endpoint. The application passes unsanitized sequences to the file exists() and rename() functions in admin.php without canonicalization or directory boundary enforcement. This allows the relocation of any file writable by the web server process to a draft location specified by the attacker.

Recommendations Update to version 3.1.2 or later. As a temporary mitigation, restrict access to the 'admin autosave' endpoint for low-privileged users.