CVE-2026-45233 in htmly
Summary
by MITRE • 06/25/2026
HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint. Attackers can pass unsanitized traversal sequences directly to file_exists() and rename() functions in admin.php without canonicalization or directory boundary enforcement to cause unintended relocation of any file writable by the web server process to an attacker-specified draft location.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/25/2026
This vulnerability exists within HTMLy CMS version 3.1.1 and earlier, representing a critical path traversal flaw that enables authenticated attackers with low privileges to manipulate file system operations through the admin autosave endpoint. The vulnerability specifically manifests when the oldfile parameter is processed without proper sanitization or validation, allowing malicious directory traversal sequences to be passed directly to core PHP functions.
The technical implementation of this flaw involves the direct invocation of file_exists() and rename() functions in the admin.php file without any canonicalization or directory boundary enforcement mechanisms. When an attacker supplies a traversal sequence such as ../../etc/passwd or similar path manipulation patterns, these unsanitized inputs are immediately passed to the underlying file system operations, bypassing all normal security checks and validation procedures that should normally prevent arbitrary file access.
The operational impact of this vulnerability is severe as it allows attackers to relocate any file that is writable by the web server process to an attacker-specified location within the file system. This capability enables attackers to move critical application files, configuration data, or even executable scripts to locations where they can be controlled or accessed, potentially leading to complete system compromise. The vulnerability affects all authenticated users regardless of their specific permission levels, making it particularly dangerous in environments where multiple users have access to the CMS administration interface.
From a cybersecurity perspective, this vulnerability maps directly to CWE-22 Path Traversal and aligns with ATT&CK technique T1059 Command and Scripting Interpreter, as attackers can leverage this flaw to manipulate file system operations. The vulnerability also relates to ATT&CK technique T1566 Impersonation, since authenticated users can abuse their access privileges to perform unauthorized file operations. Additionally, this issue demonstrates poor input validation practices that violate security principles outlined in the OWASP Top Ten and NIST Cybersecurity Framework.
The recommended mitigation strategies include implementing strict input validation and sanitization for all file path parameters, applying proper canonicalization functions before any file system operations, and enforcing directory boundary checks to prevent traversal sequences from escaping the intended application directories. Organizations should also consider implementing principle of least privilege access controls and regularly auditing file permissions to limit the impact of such vulnerabilities. Immediate patching of HTMLy CMS to version 3.1.2 or later is essential, as this release includes proper input validation and sanitization measures that address the path traversal vulnerability at its source.