Home / Vulnerability Intelligence / CVE-2026-32731

CVE-2026-32731 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: March 19, 2026

ApostropheCMS @apostrophecms/import-export - Path Traversal

Published: March 18, 2026Updated: March 19, 2026PoC AvailableRemote Exploitable

Overview

ApostropheCMS @apostrophecms/import-export < 3.5.3 contains a path traversal caused by unsanitized file paths in extract() function in gzip.js, letting users with Global Content Modify permission write files outside intended directories.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 6.3%(Probability of exploitation in next 30 days)

Impact

Attackers with Global Content Modify permission can write arbitrary files anywhere on the host filesystem accessible to the Node.js process.

Mitigation

Upgrade to version 3.5.3 or later.

References

https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 19, 2026

🔎 CVE-2026-32731 (CRITICAL, CVSS 10): Path traversal in ApostropheCMS import-export <3.5.3 lets attackers write files as Node.js user via crafted archives. Upgrade to 3.5.3+ and restrict permissions now! Details: https://radar.offseq.com/threat/cve-2026-32731-cwe-22-improper-limitation-of-a-pat-efa014e1 #OffSeq #CVE202632731 #infosec #cms

View original post

GitHub Repositories(1 repo)

https://github.com/0xEr3n/CVE-2026-32731

Related Resources

Details

CVE ID: CVE-2026-32731
Severity: Critical
CVSS Score: 9.9
Type: path_traversal
Status: unconfirmed
EPSS: 6.3%
Social Posts: 1

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

6.3%Probability of exploitation in the next 30 days