How severe is CVE-2026-32731?

CVE-2026-32731 is rated critical severity with a CVSS score of 9.9 out of 10.

Is there a public proof-of-concept (PoC) for CVE-2026-32731?

Yes. Public exploit material exists via 1 GitHub PoC repository. See the references section for direct links. Treat all linked code as untrusted and use only in authorized, isolated lab environments.

What packages are affected by CVE-2026-32731?

CVE-2026-32731 affects: @apostrophecms/import-export (fixed in 3.5.3, npm). Source: OSV.dev.

How do I fix CVE-2026-32731?

The vendor has published a patch — see the "Vendor Patch" link in the references section. If you cannot patch immediately, review mitigation guidance in this advisory and monitor for exploitation attempts.

Critical (9.9) Wednesday, March 18, 2026

ApostropheCMS RCE (CVE-2026-32731) [PoC]

CVE-2026-32731

ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` constructs file-write paths using `fs.crea...

Overview

A critical security vulnerability, identified as CVE-2026-32731, has been discovered in the @apostrophecms/import-export module for ApostropheCMS. This flaw is a classic “Zip Slip” vulnerability that could allow an authenticated attacker to write malicious files to any location accessible by the Node.js server process.

Vulnerability Details

The vulnerability exists in the extract() function within the module’s gzip.js file. When processing uploaded .tar.gz files, the code uses the path.join() method to construct the destination path for extracted files. This method does not prevent or sanitize directory traversal sequences like ../. Consequently, a malicious archive containing a file named ../../evil.js would cause the system to write that file outside the intended extraction directory, potentially to critical system locations.

Impact and Risk

The impact of this vulnerability is severe (CVSS Score: 9.9). Any CMS user with the “Global Content Modify” permission-a standard role for editors and site managers-can exploit this flaw through the normal import interface. Successful exploitation could lead to:

Remote Code Execution (RCE) by overwriting application files.
System compromise and complete server takeover.
Data theft or destruction by accessing sensitive files.
Website defacement or persistent backdoor installation.

This vulnerability underscores the risks of insufficient input validation in file operations. For context on how such flaws can lead to major incidents, you can review historical breach reports.

Remediation and Mitigation

The primary and mandatory action is to update the @apostrophecms/import-export module immediately.

Action Required:

Patch: Upgrade the @apostrophecms/import-export module to version 3.5.3 or later. This version fixes the path traversal issue.
Verify: Confirm that no unauthorized file changes have occurred on your server since the last known-good state.
Principle of Least Privilege: Audit and minimize user accounts with the “Global Content Modify” permission. Only essential administrators should hold this role.

Temporary Mitigation (if patching is delayed):

Disable the import functionality or the entire @apostrophecms/import-export module if it is not in active use.
Closely monitor server file systems for unexpected changes.

Staying informed on such critical updates is crucial for maintaining security. For the latest on vulnerabilities and patches, follow our security news coverage. Organizations using ApostropheCMS should treat this patch as an urgent priority to prevent potential system compromise.

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Telegram LinkedIn Mastodon Bluesky

Am I Affected by CVE-2026-32731?

Pick an ecosystem, paste your installed version, and we'll compare it against the fixed version published on OSV.dev. Browser-only — nothing is sent to a server.

Heuristic comparison only. Always cross-check against the vendor advisory before making patching decisions.

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository	Stars	Last Push
0xEr3n/CVE-2026-32731 POC for CVE-2026-32731	★ 0	2026-03-19

Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.

Related Advisories

Critical (9.8) Apr 13

CVE-2026-22562

A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code exec...

Critical (9.1) Apr 7

CVE-2026-35573

ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary...

Critical (9.8) Apr 5

CVE-2019-25687

Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval functionalit...

Critical (10.0) Mar 20

CVE-2026-33054

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_toke...