anonhaven
Ad

CVE-2026-32731

CRITICAL CVSS 3.1: 9.9 EPSS 0.07%
Updated Mar 24, 2026
Apostrophecms
Parameter Value
CVSS 9.9 (CRITICAL)
Affected Versions before 3.5.3
Fixed In 3.5.3
Type CWE-22 (Path Traversal)
Vendor Apostrophecms
Public PoC No

ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory.

No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem.

Version 3.5.3 of `@apostrophecms/import-export` fixes the issue.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-22 Path Traversal

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Apostrophecms Import-Export
cpe:2.3:a:apostrophecms:import-export:*:*:*:*:*:node.js:*:*
 3.5.3

References 1

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-…
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-32730

MongoDB

8.1