Cyber Resilience

CVE-2026-32731

CriticalPublic PoC

Published: 18 March 2026

Published
18 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0043 34.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32731 is a critical-severity Path Traversal (CWE-22) vulnerability in Apostrophecms Import-Export. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32731 is a path traversal vulnerability, classified as CWE-22 and dubbed a textbook Zip Slip issue, affecting the `@apostrophecms/import-export` module in ApostropheCMS, an open-source content management framework. In versions prior to 3.5.3, the `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. The `path.join()` function fails to resolve or sanitize traversal segments like `../`, allowing a tar entry such as `../../evil.js` to resolve to a path outside the intended extraction directory. No canonical-path check occurs before opening the write stream. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

An attacker with low privileges can exploit this vulnerability remotely over the network with no user interaction required. Specifically, any user granted the Global Content Modify permission—commonly assigned to content editors and site managers—can upload a specially crafted `.tar.gz` file through the standard CMS import UI. This enables writing arbitrary attacker-controlled content to any filesystem path reachable by the host's Node.js process, potentially leading to full compromise through code execution, data exfiltration, or persistent access.

The GitHub security advisory at https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78 details the fix in version 3.5.3 of `@apostrophecms/import-export`, which addresses the path traversal by implementing proper sanitization or canonicalization before file writes. Security practitioners should upgrade to this patched version immediately and review access to the Global Content Modify permission.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning…

more

a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of `@apostrophecms/import-export` fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in authenticated CMS import enables remote exploitation of public-facing app (T1190) and direct deployment of web shells via arbitrary file write (T1505.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2026-36760Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-7519Shared CWE-22
CVE-2019-25480Shared CWE-22
CVE-2026-39844Shared CWE-22
CVE-2026-34607Shared CWE-22

Affected Assets

apostrophecms
import-export
≤ 3.5.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of inputs like tar entry paths to block traversal sequences such as '../' during file extraction from uploaded archives.

prevent

SI-2 requires timely flaw remediation, including patching the gzip.js extract function to implement path sanitization as done in version 3.5.3.

prevent

AC-6 least privilege minimizes exploitation risk by restricting Global Content Modify permission to only essential users like trusted site managers.

References