{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30462", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-27T17:50:32.803Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T16:57:17.467Z"}, "descriptions": [{"lang": "en", "value": "A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Blocks.php"}, {"url": "https://pentest-tools.com/PTT-2025-031-Sensitive-File-Read-via-Path-Traversal.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "references": [{"url": "https://pentest-tools.com/PTT-2025-031-Sensitive-File-Read-via-Path-Traversal.pdf", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T17:50:28.305045Z", "id": "CVE-2026-30462", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T17:50:32.803Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30462", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T17:50:28.305045Z"}}}], "references": [{"url": "https://pentest-tools.com/PTT-2025-031-Sensitive-File-Read-via-Path-Traversal.pdf", "tags": ["exploit"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T17:50:22.967Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://daylight.com"}, {"url": "http://fuelcms.com"}, {"url": "https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Blocks.php"}, {"url": "https://pentest-tools.com/PTT-2025-031-Sensitive-File-Read-via-Path-Traversal.pdf"}], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-27T16:57:17.467Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30462", "state": "PUBLISHED", "dateUpdated": "2026-04-27T17:50:32.803Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-27T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal."}], "id": "CVE-2026-30462", "lastModified": "2026-04-27T18:35:53.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-27T17:16:42.930", "references": [{"source": "cve@mitre.org", "url": "http://daylight.com"}, {"source": "cve@mitre.org", "url": "http://fuelcms.com"}, {"source": "cve@mitre.org", "url": "https://github.com/daylightstudio/FUEL-CMS/blob/master/fuel/modules/fuel/controllers/Blocks.php"}, {"source": "cve@mitre.org", "url": "https://pentest-tools.com/PTT-2025-031-Sensitive-File-Read-via-Path-Traversal.pdf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://pentest-tools.com/PTT-2025-031-Sensitive-File-Read-via-Path-Traversal.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.5.2"}}], "enrichment": {"confidence": 82.0, "confidence_source": "matching", "scores": [{"score": 85.0, "source": "inferred"}, {"score": 82.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "fuel_cms", "vendor": "daylightstudio"}], "analysis": {"en": {"generated_at": "2026-04-29T02:18:37.643903+00:00", "value": {"mitigation_remediation": ["Sanitize and validate the file path input in the Blocks module to reject traversal characters such as \"../\" or other directory\u2011navigation sequences.", "Restrict the file system permissions of the web application process so that it cannot read files outside the intended application directory.", "Limit HTTP access to the Blocks module endpoint using firewall rules or web\u2011server configuration, restricting it to trusted IP ranges or removing it from public exposure."], "summary": {"action": "Assess Impact", "impact": "Directory Traversal"}, "threat_synthesis": {"affected_systems": "The affected software is Daylight Studio FuelCMS version 1.5.2, limited to the Blocks module. No other vendors or products are identified as impacted in the provided data.", "description_and_impact": "A path traversal vulnerability exists in the Blocks module of Daylight Studio FuelCMS v1.5.2. The flaw allows an attacker to craft file path inputs that enable traversal outside the intended directory structure. This could potentially result in the application accessing files that it should not be able to read, thereby risking disclosure of sensitive data that resides on the web server's file system.", "risk_and_exploitability": "The CVSS score of 4.3 categorizes the vulnerability as low severity. The EPSS score is below 1% (0.0006), indicating a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, achieved by sending crafted HTTP requests to the Blocks module endpoint that include a manipulated path parameter. No additional privileges or conditions are mentioned, suggesting exploitation would be straightforward once the target is reachable."}}}}, "created": "2026-04-28T05:15:22.931019+00:00", "title": "Directory Traversal in Daylight Studio FuelCMS Blocks Module 1.5.2", "updated": "2026-04-29T02:30:07.566943+00:00", "vendors": ["daylightstudio", "daylightstudio$PRODUCT$fuel_cms"]}