{"id":"CVE-2026-32731","summary":"ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction","details":"ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`,\nThe `extract()` function in `gzip.js` constructs file-write paths using `fs.createWriteStream(path.join(exportPath, header.name))`. `path.join()` does not resolve or sanitise traversal segments such as `../`. It concatenates them as-is, meaning a tar entry named `../../evil.js` resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted `.tar.gz` file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of `@apostrophecms/import-export` fixes the issue.","aliases":["GHSA-mwxc-m426-3f78"],"modified":"2026-04-10T05:43:03.653021Z","published":"2026-03-18T22:03:25.682Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32731.json","cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32731.json"},{"type":"ADVISORY","url":"https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32731"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apostrophecms/apostrophe","events":[{"introduced":"0"},{"fixed":"7e607c9fe1605764144bdc9f529961d5738e7ea2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.5.3"}]}}],"versions":["0.1.1","0.1.10","0.1.11","0.1.12","0.1.13","0.1.14","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.2.0","0.3.0","0.3.1","0.3.10","0.3.11","0.3.12","0.3.15","0.3.16","0.3.18","0.3.19","0.3.2","0.3.3","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9","0.4.1","0.4.10","0.4.100","0.4.101","0.4.102","0.4.104","0.4.11","0.4.110","0.4.111","0.4.112","0.4.113","0.4.114","0.4.115","0.4.116","0.4.117","0.4.118","0.4.119","0.4.12","0.4.120","0.4.121","0.4.122","0.4.123","0.4.124","0.4.125","0.4.13","0.4.14","0.4.15","0.4.16","0.4.18","0.4.184","0.4.19","0.4.2","0.4.20","0.4.21","0.4.22","0.4.23","0.4.24","0.4.25","0.4.26","0.4.27","0.4.28","0.4.29","0.4.3","0.4.30","0.4.31","0.4.32","0.4.33","0.4.34","0.4.35","0.4.37","0.4.4","0.4.40","0.4.41","0.4.42","0.4.43","0.4.44","0.4.45","0.4.46","0.4.47","0.4.5","0.4.51","0.4.52","0.4.53","0.4.54","0.4.55","0.4.57","0.4.58","0.4.59","0.4.6","0.4.60","0.4.61","0.4.62","0.4.63","0.4.64","0.4.65","0.4.66","0.4.67","0.4.68","0.4.69","0.4.7","0.4.70","0.4.71","0.4.72","0.4.73","0.4.74","0.4.75","0.4.8","0.4.82","0.4.83","0.4.84","0.4.85","0.4.86","0.4.87","0.4.88","0.4.89","0.4.90","0.4.91","0.4.92","0.4.93","0.4.94","0.4.95","0.4.96","0.4.97","0.4.98","0.4.99","0.5.0","0.5.1","0.5.10","0.5.100","0.5.102","0.5.103","0.5.104","0.5.106","0.5.107","0.5.108","0.5.109","0.5.111","0.5.113","0.5.115","0.5.116","0.5.117","0.5.12","0.5.120","0.5.121","0.5.124","0.5.125","0.5.126","0.5.127","0.5.128","0.5.13","0.5.130","0.5.131","0.5.133","0.5.134","0.5.135","0.5.136","0.5.138","0.5.14","0.5.141","0.5.142","0.5.143","0.5.144","0.5.145","0.5.146","0.5.148","0.5.149","0.5.150","0.5.151","0.5.155","0.5.156","0.5.157","0.5.158","0.5.159","0.5.16","0.5.165","0.5.167","0.5.168","0.5.169","0.5.17","0.5.178","0.5.179","0.5.180","0.5.181","0.5.183","0.5.187","0.5.188","0.5.189","0.5.19","0.5.190","0.5.191","0.5.192","0.5.193","0.5.194","0.5.197","0.5.198","0.5.199","0.5.2","0.5.20","0.5.201","0.5.202","0.5.203","0.5.204","0.5.205","0.5.206","0.5.207","0.5.208","0.5.21","0.5.213","0.5.215","0.5.216","0.5.217","0.5.218","0.5.219","0.5.22","0.5.221","0.5.222","0.5.223","0.5.224","0.5.226","0.5.227","0.5.228","0.5.229","0.5.23","0.5.230","0.5.24","0.5.240","0.5.241","0.5.242","0.5.244","0.5.245","0.5.246","0.5.247","0.5.248","0.5.249","0.5.25","0.5.250","0.5.251","0.5.252","0.5.253","0.5.254","0.5.26","0.5.269","0.5.27","0.5.270","0.5.271","0.5.272","0.5.273","0.5.275","0.5.276","0.5.278","0.5.279","0.5.28","0.5.280","0.5.281","0.5.282","0.5.283","0.5.284","0.5.285","0.5.286","0.5.287","0.5.288","0.5.29","0.5.290","0.5.291","0.5.292","0.5.293","0.5.294","0.5.296","0.5.297","0.5.298","0.5.3","0.5.30","0.5.300","0.5.301","0.5.302","0.5.303","0.5.305","0.5.307","0.5.308","0.5.309","0.5.31","0.5.310","0.5.311","0.5.312","0.5.32","0.5.327","0.5.328","0.5.33","0.5.330","0.5.331","0.5.332","0.5.333","0.5.336","0.5.337","0.5.338","0.5.339","0.5.34","0.5.340","0.5.343","0.5.344","0.5.345","0.5.346","0.5.347","0.5.348","0.5.349","0.5.35","0.5.350","0.5.351","0.5.352","0.5.353","0.5.354","0.5.355","0.5.356","0.5.357","0.5.358","0.5.359","0.5.36","0.5.360","0.5.361","0.5.362","0.5.363","0.5.364","0.5.365","0.5.366","0.5.367","0.5.368","0.5.369","0.5.37","0.5.370","0.5.371","0.5.372","0.5.373","0.5.374","0.5.375","0.5.376","0.5.377","0.5.378","0.5.379","0.5.38","0.5.380","0.5.381","0.5.382","0.5.383","0.5.384","0.5.39","0.5.4","0.5.40","0.5.43","0.5.44","0.5.45","0.5.47","0.5.48","0.5.5","0.5.50","0.5.51","0.5.52","0.5.55","0.5.56","0.5.57","0.5.58","0.5.59","0.5.6","0.5.60","0.5.61","0.5.63","0.5.64","0.5.65","0.5.67","0.5.68","0.5.69","0.5.7","0.5.70","0.5.71","0.5.75","0.5.76","0.5.77","0.5.78","0.5.79","0.5.8","0.5.82","0.5.84","0.5.85","0.5.86","0.5.88","0.5.89","0.5.9","0.5.90","0.5.91","0.5.92","0.5.93","0.5.94","0.5.95","0.5.96","0.5.97","0.5.98","0.5.99","2.0.1","2.0.2","2.0.3","2.0.4","2.1.1","2.1.2","2.1.3","2.10.0","2.10.1","2.10.2","2.10.3","2.11.0","2.12.0","2.13.0","2.13.1","2.13.2","2.14.0","2.14.1","2.14.2","2.15.0","2.15.1","2.15.2","2.16.0","2.16.1","2.17.0","2.17.1","2.17.2","2.18.0","2.18.1","2.18.2","2.19.0","2.19.1","2.20.1","2.20.2","2.20.3","2.22.0","2.23.0","2.23.1","2.23.2","2.24.0","2.25.0","2.25.1","2.26.0","2.26.1","2.27.0","2.27.1","2.28.0","2.29.0","2.29.1","2.29.2","2.30.0","2.31.0","2.31.1","2.32.0","2.33.0","2.33.1","2.34.0","2.34.1","2.34.2","2.34.3","2.35.0","2.35.1","2.36.0","2.36.1","2.36.2","2.36.3","2.38.0","2.39.0","2.39.1","2.39.2","2.40.0","2.41.0","2.42.0","2.42.1","2.43.0","2.44.0","2.45.0","2.46.0","2.46.1","2.47.0","2.48.0","2.49.0","2.50.0","2.51.0","2.51.1","2.52.0","2.53.0","2.54.0","2.54.1","2.54.2","2.54.3","2.55.0","2.56.0","2.57.0","2.58.0","2.59.0","2.59.1","2.6.1","2.6.2","2.60.0","2.60.1","2.60.2","2.60.3","2.60.4","2.62.0","2.63.0","2.64.0","2.64.1","2.65.0","2.66.0","2.67.0","2.7.0","2.8.0","2.9.0","2.9.1","2.9.2","3.0.0","3.0.0-alpha.1","3.0.0-alpha.2","3.0.0-alpha.3","3.0.0-alpha.4","3.0.0-alpha.4.2","3.0.0-alpha.5","3.0.0-alpha.6.1","3.0.0-alpha.7","3.0.0-beta.1","3.0.0-beta.1.1","3.0.0-beta.2","3.0.0-beta.3","3.0.1","3.1.0","3.1.2","3.11.0","3.12.0","3.13.0","3.14.0","3.14.1","3.14.2","3.15.0","3.16.0","3.16.1","3.17.0","3.18.0","3.19.0","3.2.0","3.21.0","3.22.0","3.23.0","3.24.0","3.25.0","3.26.0","3.26.1","3.27.0","3.28.0","3.28.1","3.29.0","3.3.0","3.30.0","3.31.0","3.32.0","3.33.0","3.34.0","3.35.0","3.36.0","3.37.0","3.38.0","3.38.1","3.39.0","3.39.2","3.4.0","3.4.1","3.40.0","3.40.1","3.41.1","3.42.0","3.43.0","3.44.0","3.45.0","3.46.0","3.47.0","3.48.0","3.49.0","3.5.0","3.50.0","3.51.0","3.51.1","3.52.0","3.53.0","3.54.0","3.55.0","3.56.0","3.57.0","3.58.0","3.58.1","3.59.0","3.6.0","3.60.0","3.60.1","3.61.0","3.62.0","3.63.1","3.7.0","3.8.0","3.8.1","3.9.0","4.0.0","4.1.0","4.1.1","4.10.0","4.11.0","4.11.2","4.12.0","4.13.0","4.14.0","4.15.0","4.16.0","4.17.0","4.17.1","4.18.0","4.19.0","4.2.0","4.20.0","4.21.0","4.22.0","4.23.0","4.24.0","4.3.0","4.4.0","4.4.1","4.4.2","4.4.3","4.5.0","4.5.2","4.5.3","4.6.0","4.7.0","4.8.0","4.9.0","@apostrophecms/ai-helper@1.0.0-beta.11","@apostrophecms/apostrophe-astro@1.8.0","@apostrophecms/apostrophe-astro@1.9.0","@apostrophecms/cli@3.6.0","@apostrophecms/form@1.5.3","@apostrophecms/import-export@3.5.1","@apostrophecms/import-export@3.5.2","@apostrophecms/login-totp@1.3.3","@apostrophecms/openapi-generator@1.0.0","@apostrophecms/seo@1.4.0","apostrophe@4.25.0","apostrophe@4.26.0","apostrophecms-openapi@1.1.0","postcss-viewport-to-container-toggle@2.2.0","sanitize-html@2.17.1","v0.4.68"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32731.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}