CVE-2026-32731 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: March 18, 2026
ApostropheCMS @apostrophecms/import-export - Path Traversal
Published: March 18, 2026Updated: March 18, 2026Remote Exploitable
Overview
ApostropheCMS @apostrophecms/import-export < 3.5.3 contains a path traversal caused by unsanitized file paths in extract() function in gzip.js, letting users with Global Content Modify permission write files outside intended directories.
Severity & Score
Severity: Critical
CVSS Score: 9.9
Impact
Attackers with Global Content Modify permission can write arbitrary files anywhere on the host filesystem accessible to the Node.js process.
Mitigation
Upgrade to version 3.5.3 or later.
Related Resources
Details
- CVE ID
- CVE-2026-32731
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- path_traversal
- Status
- new
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H