-
-
Notifications
You must be signed in to change notification settings - Fork 230
Expand file tree
/
Copy pathCVE-2026-1776.yml
More file actions
34 lines (34 loc) · 1.57 KB
/
CVE-2026-1776.yml
File metadata and controls
34 lines (34 loc) · 1.57 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
---
gem: camaleon_cms
cve: 2026-1776
ghsa: jw5g-f64p-6x78
url: https://nvd.nist.gov/vuln/detail/CVE-2026-1776
title: Camaleon CMS vulnerable to Path Traversal through
AWS S3 uploader implementation
date: 2026-03-10
description: |
Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e,
contain a path traversal vulnerability in the AWS S3 uploader
implementation that allows authenticated users to read arbitrary
files from the web server’s filesystem. The issue occurs in the
download_private_file functionality when the application is
configured to use the CamaleonCmsAwsUploader backend. Unlike the
local uploader implementation, the AWS uploader does not validate
file paths with valid_folder_path?, allowing directory traversal
sequences to be supplied via the file parameter. As a result, any
authenticated user, including low-privileged registered users, can
access sensitive files such as /etc/passwd. This issue represents a
bypass of the incomplete fix for CVE-2024-46987 and affects
deployments using the AWS S3 storage backend.
cvss_v4: 6.0
unaffected_versions:
- "< 2.4.5.0"
notes: 'Never patched; last release was 2.9.1'
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2026-1776
- https://github.com/owen2345/camaleon-cms/pull/1127
- https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af
- https://camaleon.website
- https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read
- https://github.com/advisories/GHSA-jw5g-f64p-6x78