CVE-2026-1776

MEDIUM

Camaleon CMS 2.4.5.0-2.9.0 - Path Traversal

Title source: llm

Description

Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend.

References (4)

Core 4

Core References

Various Sources product

https://camaleon.website/

Issue Tracking issue-tracking

https://github.com/owen2345/camaleon-cms/pull/1127

Patch patch

https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af

View Patch ZIP pw:eip

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read

Scores

CVSS v3 6.5

EPSS 0.0006

EPSS Percentile 20.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (4)

owen2345/Camaleon CMS 2.4.5.0 - 2.9.0

owen2345/Camaleon CMS f54a77e2a7be601215ea1b396038c589a0cab9af

rubygems/camaleon_cms 2.4.5.0RubyGems

tuzitio/camaleon_cms 2.4.5 - 2.9.0

Published Mar 10, 2026

Tracked Since Mar 10, 2026