{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T10:02:12.655","vulnerabilities":[{"cve":{"id":"CVE-2026-1776","sourceIdentifier":"disclosure@vulncheck.com","published":"2026-03-10T07:38:01.950","lastModified":"2026-04-17T20:59:47.330","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the download_private_file functionality when the application is configured to use the CamaleonCmsAwsUploader backend. Unlike the local uploader implementation, the AWS uploader does not validate file paths with valid_folder_path?, allowing directory traversal sequences to be supplied via the file parameter. As a result, any authenticated user, including low-privileged registered users, can access sensitive files such as /etc/passwd. This issue represents a bypass of the incomplete fix for CVE-2024-46987 and affects deployments using the AWS S3 storage backend."},{"lang":"es","value":"Las versiones 2.4.5.0 a 2.9.0 de Camaleon CMS, anteriores al commit f54a77e, contienen una vulnerabilidad de salto de ruta en la implementación del cargador de AWS S3 que permite a los usuarios autenticados leer archivos arbitrarios del sistema de archivos del servidor web. El problema ocurre en la funcionalidad download_private_file cuando la aplicación está configurada para usar el backend CamaleonCmsAwsUploader. A diferencia de la implementación del cargador local, el cargador de AWS no valida las rutas de archivo con valid_folder_path?, permitiendo que se suministren secuencias de salto de directorio a través del parámetro file. Como resultado, cualquier usuario autenticado, incluidos los usuarios registrados con pocos privilegios, puede acceder a archivos sensibles como /etc /passwd. Este problema representa una omisión de la corrección incompleta para CVE-2024-46987 y afecta a las implementaciones que utilizan el backend de almacenamiento de AWS S3."}],"metrics":{"cvssMetricV40":[{"source":"disclosure@vulncheck.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"disclosure@vulncheck.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:tuzitio:camaleon_cms:*:*:*:*:*:*:*:*","versionStartIncluding":"2.4.5","versionEndIncluding":"2.9.0","matchCriteriaId":"6CD58B4B-A874-4802-A817-72F4C8104C09"}]}]}],"references":[{"url":"https://camaleon.website/","source":"disclosure@vulncheck.com","tags":["Product"]},{"url":"https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af","source":"disclosure@vulncheck.com","tags":["Patch"]},{"url":"https://github.com/owen2345/camaleon-cms/pull/1127","source":"disclosure@vulncheck.com","tags":["Issue Tracking","Patch"]},{"url":"https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read","source":"disclosure@vulncheck.com","tags":["Patch","Third Party Advisory"]}]}}]}