{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32731", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.627Z", "datePublished": "2026-03-18T22:03:25.682Z", "dateUpdated": "2026-03-19T16:04:47.962Z"}, "containers": {"cna": {"title": "ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78"}], "affected": [{"vendor": "apostrophecms", "product": "import-export", "versions": [{"version": "< 3.5.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T22:03:25.682Z"}, "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`,\nThe `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission \u2014 a role routinely assigned to content editors and site managers \u2014 can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of `@apostrophecms/import-export` fixes the issue."}], "source": {"advisory": "GHSA-mwxc-m426-3f78", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T15:54:58.106435Z", "id": "CVE-2026-32731", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T16:04:47.962Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32731", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T15:54:58.106435Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T16:03:40.666Z"}}], "cna": {"title": "ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction", "source": {"advisory": "GHSA-mwxc-m426-3f78", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "apostrophecms", "product": "import-export", "versions": [{"status": "affected", "version": "< 3.5.3"}]}], "references": [{"url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78", "name": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`,\nThe `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission \u2014 a role routinely assigned to content editors and site managers \u2014 can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of `@apostrophecms/import-export` fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T22:03:25.682Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32731", "state": "PUBLISHED", "dateUpdated": "2026-03-19T16:04:47.962Z", "dateReserved": "2026-03-13T15:02:00.627Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T22:03:25.682Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apostrophecms:import-export:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DC368091-4E2B-454F-BFA1-96EADD6524A9", "versionEndExcluding": "3.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`,\nThe `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission \u2014 a role routinely assigned to content editors and site managers \u2014 can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of `@apostrophecms/import-export` fixes the issue."}, {"lang": "es", "value": "ApostropheCMS es un framework de gesti\u00f3n de contenido de c\u00f3digo abierto. Antes de la versi\u00f3n 3.5.3 de `'@apostrophecms/import-export'`, la funci\u00f3n `'extract'`() en `'gzip.js'` construye rutas de escritura de archivos usando `'fs.createWriteStream(path.join(exportPath, header.name))'`. `'path.join'`() no resuelve ni sanitiza segmentos de recorrido como `'../'`. Los concatena tal cual, lo que significa que una entrada tar llamada `'../../evil.js'` se resuelve a una ruta fuera del directorio de extracci\u00f3n previsto. No se realiza ninguna comprobaci\u00f3n de ruta can\u00f3nica antes de que se abra el flujo de escritura. Esta es una vulnerabilidad Zip Slip de libro de texto. Cualquier usuario al que se le haya concedido el permiso de Modificar Contenido Global \u2014 un rol asignado rutinariamente a editores de contenido y administradores de sitios \u2014 puede cargar un archivo '.tar.gz' manipulado a trav\u00e9s de la interfaz de usuario de importaci\u00f3n est\u00e1ndar del CMS y escribir contenido controlado por el atacante en cualquier ruta que el proceso de Node.js pueda alcanzar en el sistema de archivos del host. La versi\u00f3n 3.5.3 de `'@apostrophecms/import-export'` soluciona el problema."}], "id": "CVE-2026-32731", "lastModified": "2026-03-24T21:31:54.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T23:17:29.543", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "import-export", "source": "cna", "vendor": "apostrophecms"}, "product": "import-export", "vendor": "apostrophecms"}], "analysis": {"en": {"generated_at": "2026-03-24T22:30:13.903899+00:00", "value": {"mitigation_remediation": ["Upgrade the @apostrophecms/import-export package to version 3.5.3 or newer.", "If an upgrade cannot be performed immediately, remove Global Content Modify permission from unauthenticated or untrusted users and disable the import feature for untrusted accounts.", "Verify that the Node.js process is running with the least privileges required and monitor file\u2011write operations within the application\u2019s directory to detect any anomalous activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw exists in the @apostrophecms/import-export package for all releases prior to v3.5.3. Users who possess Global Content Modify permissions \u2013 typically editors or site managers \u2013 can trigger the vulnerability through the CMS import interface. The affected component runs under the Node.js environment and can write anywhere within the process\u2019s file\u2011system access rights.", "description_and_impact": "ApostropheCMS suffered a zip slip vulnerability in the import\u2011export module where the Gzip extraction logic concatenates archive entry names with the target directory without sanitising them. An attacker can craft a payload containing traversal sequences such as \"../../evil.js\" which, when processed, is written to arbitrary paths reachable by the Node.js process. By overwriting configuration files, server-side scripts, or executable binaries the attacker can gain full control of the application or host, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS rating is 10, indicating a critical impact. EPSS shows less than 1% probability of exploitation in the wild, and the flaw is not listed in CISA's Known Exploited Vulnerabilities catalog. The attack requires authenticated access with content\u2011modify rights and the ability to upload a .tar.gz file; once the credentials are in place, the exploit is straightforward and does not demand additional privileges. The path traversal flaw can be leveraged to achieve remote code execution, making it highly exploitable for attackers with moderate access within the CMS."}}}}, "created": "2026-03-19T08:55:13.069015+00:00", "updated": "2026-03-25T11:51:56.240915+00:00", "vendors": ["apostrophecms", "apostrophecms$PRODUCT$import-export"]}