{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1776", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-02-02T18:05:13.516Z", "datePublished": "2026-03-09T21:08:06.600Z", "dateUpdated": "2026-05-14T02:09:04.462Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:09:04.462Z"}, "title": "Camaleon CMS AWS Uploader Authenticated Path Traversal Arbitrary File Read", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "affected": [{"vendor": "owen2345", "product": "Camaleon CMS", "packageName": "camaleon-cms", "repo": "https://github.com/owen2345/camaleon-cms", "versions": [{"status": "affected", "version": "2.4.5.0", "lessThanOrEqual": "2.9.0", "versionType": "custom"}, {"status": "unaffected", "version": "f54a77e2a7be601215ea1b396038c589a0cab9af", "versionType": "git"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.4.5.0", "versionEndIncluding": "2.9.0"}]}]}], "descriptions": [{"lang": "en", "value": "Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server\u2019s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server\u2019s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend."}]}], "references": [{"url": "https://github.com/owen2345/camaleon-cms/pull/1127", "tags": ["issue-tracking"]}, {"url": "https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af", "tags": ["patch"]}, {"url": "https://camaleon.website/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Michael Loomis (investigato)", "type": "finder"}, {"lang": "en", "value": "VulnCheck", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T14:57:09.790742Z", "id": "CVE-2026-1776", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:57:17.119Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1776", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T14:57:09.790742Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:57:13.160Z"}}], "cna": {"title": "Camaleon CMS AWS Uploader Authenticated Path Traversal Arbitrary File Read", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Michael Loomis (investigato)"}, {"lang": "en", "type": "coordinator", "value": "VulnCheck"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/owen2345/camaleon-cms", "vendor": "owen2345", "product": "Camaleon CMS", "versions": [{"status": "affected", "version": "2.4.5.0", "versionType": "custom", "lessThanOrEqual": "2.9.0"}, {"status": "unaffected", "version": "f54a77e2a7be601215ea1b396038c589a0cab9af", "versionType": "git"}], "packageName": "camaleon-cms", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/owen2345/camaleon-cms/pull/1127", "tags": ["issue-tracking"]}, {"url": "https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af", "tags": ["patch"]}, {"url": "https://camaleon.website/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server\u2019s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.", "supportingMedia": [{"type": "text/html", "value": "Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server\u2019s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "2.9.0", "versionStartIncluding": "2.4.5.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:09:04.462Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1776", "state": "PUBLISHED", "dateUpdated": "2026-05-14T02:09:04.462Z", "dateReserved": "2026-02-02T18:05:13.516Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-09T21:08:06.600Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "6CD58B4B-A874-4802-A817-72F4C8104C09", "versionEndIncluding": "2.9.0", "versionStartIncluding": "2.4.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server\u2019s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend."}, {"lang": "es", "value": "Las versiones 2.4.5.0 a 2.9.0 de Camaleon CMS, anteriores al commit f54a77e, contienen una vulnerabilidad de salto de ruta en la implementaci\u00f3n del cargador de AWS S3 que permite a los usuarios autenticados leer archivos arbitrarios del sistema de archivos del servidor web. El problema ocurre en la funcionalidad download_private_file cuando la aplicaci\u00f3n est\u00e1 configurada para usar el backend CamaleonCmsAwsUploader. A diferencia de la implementaci\u00f3n del cargador local, el cargador de AWS no valida las rutas de archivo con valid_folder_path?, permitiendo que se suministren secuencias de salto de directorio a trav\u00e9s del par\u00e1metro file. Como resultado, cualquier usuario autenticado, incluidos los usuarios registrados con pocos privilegios, puede acceder a archivos sensibles como /etc /passwd. Este problema representa una omisi\u00f3n de la correcci\u00f3n incompleta para CVE-2024-46987 y afecta a las implementaciones que utilizan el backend de almacenamiento de AWS S3."}], "id": "CVE-2026-1776", "lastModified": "2026-04-17T20:59:47.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-10T07:38:01.950", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://camaleon.website/"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af"}, {"source": "disclosure@vulncheck.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/owen2345/camaleon-cms/pull/1127"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.4.5.0,2.9.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "commit f54a77e"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Camaleon CMS", "source": "cna", "vendor": "owen2345"}, "product": "camaleon_cms", "vendor": "owen2345"}], "analysis": {"en": {"generated_at": "2026-04-16T10:11:43.776760+00:00", "value": {"mitigation_remediation": ["Apply the patch from commit f54a77e or upgrade to a Camaleon CMS release that incorporates this change.", "If upgrading immediately is not feasible, reconfigure the CMS to disable the CamaleonCmsAwsUploader backend and use the local uploader instead, eliminating the unvalidated path traversal path.", "Restrict the download_private_file functionality to privileged administrators only, or add additional access controls that prevent low\u2011privileged users from invoking file download operations."], "summary": {"action": "Patch Now", "impact": "Arbitrary File Read via Authenticated Path Traversal"}, "threat_synthesis": {"affected_systems": "The flaw affects deployments of Camaleon CMS from version 2.4.5.0 up to and including 2.9.0 that are configured to use the Amazon Web Services S3 storage backend. Users of earlier or later releases, or those not employing the AWS uploader, are not impacted.", "description_and_impact": "Camaleon CMS versions 2.4.5.0 through 2.9.0 allow an authenticated attacker to read arbitrary files from the web server\u2019s filesystem. The vulnerability resides in the AWS S3 uploader\u2019s download_private_file method, which fails to validate file paths when the backend is set to CamaleonCmsAwsUploader. This omission lets users supply path traversal sequences that can expose sensitive files such as /etc/passwd, subverting confidentiality controls and exposing system configuration.", "risk_and_exploitability": "The CVSS score of 6 indicates a medium severity, and the EPSS assessment of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated, yet any low\u2011privileged registered user can trigger the read operation, meaning a wide range of accounts could potentially exploit the flaw within their authorized scope."}}}}, "created": "2026-03-10T14:07:00.751212+00:00", "updated": "2026-04-16T10:15:26.112290+00:00", "vendors": ["owen2345", "owen2345$PRODUCT$camaleon_cms"]}