CVE-2026-32731
Published: 18 March 2026
Summary
CVE-2026-32731 is a critical-severity Path Traversal (CWE-22) vulnerability in Apostrophecms Import-Export. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of inputs like tar entry paths to block traversal sequences such as '../' during file extraction from uploaded archives.
SI-2 requires timely flaw remediation, including patching the gzip.js extract function to implement path sanitization as done in version 3.5.3.
AC-6 least privilege minimizes exploitation risk by restricting Global Content Modify permission to only essential users like trusted site managers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in authenticated CMS import enables remote exploitation of public-facing app (T1190) and direct deployment of web shells via arbitrary file write (T1505.003).
NVD Description
ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning…
more
a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of `@apostrophecms/import-export` fixes the issue.
Deeper analysisAI
CVE-2026-32731 is a path traversal vulnerability, classified as CWE-22 and dubbed a textbook Zip Slip issue, affecting the `@apostrophecms/import-export` module in ApostropheCMS, an open-source content management framework. In versions prior to 3.5.3, the `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. The `path.join()` function fails to resolve or sanitize traversal segments like `../`, allowing a tar entry such as `../../evil.js` to resolve to a path outside the intended extraction directory. No canonical-path check occurs before opening the write stream. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An attacker with low privileges can exploit this vulnerability remotely over the network with no user interaction required. Specifically, any user granted the Global Content Modify permission—commonly assigned to content editors and site managers—can upload a specially crafted `.tar.gz` file through the standard CMS import UI. This enables writing arbitrary attacker-controlled content to any filesystem path reachable by the host's Node.js process, potentially leading to full compromise through code execution, data exfiltration, or persistent access.
The GitHub security advisory at https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78 details the fix in version 3.5.3 of `@apostrophecms/import-export`, which addresses the path traversal by implementing proper sanitization or canonicalization before file writes. Security practitioners should upgrade to this patched version immediately and review access to the Global Content Modify permission.
Details
- CWE(s)