CVE Catalog

CVE-2026-1776

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.73%

50th percentile - higher than 50% of all known CVEs

Summary

A path traversal vulnerability in Camaleon CMS versions 2.4.5.0 through 2.9.0 (prior to commit f54a77e) in the AWS S3 uploader implementation. Authenticated users can read arbitrary files from the web server's filesystem by manipulating the 'file' parameter in the download_private_file function.

Risk Assessment

The risk involves the ability for any authenticated user, including low-privileged accounts, to read sensitive system files (e.g., /etc/passwd). This could lead to credential disclosure or exposure of other confidential information.

Recommendation

Immediately update Camaleon CMS to a version containing commit f54a77e or later. If an update is not possible, temporarily disable the AWS S3 backend or restrict access to the download_private_file function.

Original NVD description (English source)

Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS