{"vulnerability": "ghsa-c43v-4cr8-6mvp", "sightings": [{"uuid": "aeb16fe5-11d9-497c-9d4a-427aabe553a3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-C43V-4CR8-6MVP", "type": "seen", "source": "https://gist.github.com/alon710/ffb181b33bedea772189a8193fac5697", "content": "# GHSA-C43V-4CR8-6MVP: GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper\n\n&gt; **CVSS Score:** 6.5\n&gt; **Published:** 2026-07-09\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-C43V-4CR8-6MVP\n\n## Summary\nAn authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.\n\n## TL;DR\nAuthenticated path traversal in Craft CMS allows reading local SVG files and executing Stored XSS via malicious file paths.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-22\n- **Attack Vector**: Network\n- **CVSS Score**: 6.5 (Medium)\n- **EPSS Score**: N/A (No CVE assigned)\n- **Impact**: Local File Read &amp; Stored Cross-Site Scripting (XSS)\n- **Exploit Status**: Proof-of-Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Craft CMS 4.x installations &lt;= 4.17.6\n- **Craft CMS**: &gt;= 4.0.0, &lt;= 4.17.6 (Fixed in: `4.17.7`)\n\n## Mitigation\n\n- Upgrade Craft CMS to version 4.17.7 or later to implement server-side path validation.\n- Configure Web Application Firewall rules to detect and drop requests containing directory traversal sequences in the query parameters.\n- Deploy restrictive Content Security Policies to prevent execution of inline scripts within SVG files inside the browser context.\n\n**Remediation Steps:**\n1. Identify active installations of Craft CMS utilizing the command 'composer show craftcms/cms'.\n2. Execute 'composer update craftcms/cms' to pull the patched version 4.17.7.\n3. Clear application caches using './craft clear-caches/all' to ensure updated helper logic is enforced immediately.\n4. Audit standard user upload directories for unauthorized or suspicious SVG files containing script blocks.\n\n## References\n\n- [GitHub Security Advisory GHSA-C43V-4CR8-6MVP](https://github.com/advisories/GHSA-C43V-4CR8-6MVP)\n- [Craft CMS Fix Commit](https://github.com/craftcms/cms/commit/30f5f1a8d6edf0f3a00be72c42c78d9dc7d72d5c)\n- [Craft CMS Security Policy](https://github.com/craftcms/cms/security/policy)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-C43V-4CR8-6MVP) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-09T15:42:12.657694Z"}]}