CVE-2026-32731
ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of @apostrophecms/import-export,
The extract() function in gzip.js constructs file-write paths using fs.createWriteStream(path.join(exportPath, header.name)). path.join() does not resolve or sanitise traversal segments such as ../. It concatenates them as-is, meaning a tar entry named ../../evil.js resolves to a path outside the intended extraction directory. No canonical-path check is performed before the write stream is opened. This is a textbook Zip Slip vulnerability. Any user who has been granted the Global Content Modify permission — a role routinely assigned to content editors and site managers — can upload a crafted .tar.gz file through the standard CMS import UI and write attacker-controlled content to any path the Node.js process can reach on the host filesystem. Version 3.5.3 of @apostrophecms/import-export fixes the issue.
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32731.json, https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mwxc-m426-3f78, https://nvd.nist.gov/vuln/detail/CVE-2026-32731