HIGHVulnerability
Verified
Global

NVD HIGH: CVE-2026-45233 — HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-...

·Source: NIST NVD

Updated:

Executive Summary

HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint. Attackers can pass unsanitized traversal sequences directly to file_exists() and rename() functions in admin.php without canonicalization or directory bounda

Analysis

HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint. Attackers can pass unsanitized traversal sequences directly to file_exists() and rename() functions in admin.php without canonicalization or directory boundary enforcement to cause unintended relocation of any file writable by the web server process to an attacker-specified draft location. CVSS Score: 8.1. Published: 2026-06-25T17:16:39.207.

Indicators of Compromise (1)

CVE (1)
CVE-2026-45233
Source Attribution

Originally published by NIST NVD on Jun 25, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerabilityNEW

Google: Kremlin Expands AI-Backed Campaigns Across Europe, US

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/google-kremlin-expands-ai-backed-campaigns-across-europe-us-image_small-4-a-32120.jpg" align=right hspace=4><b>GenAI Is Accelerating Propaganda, Planning and Content Creation</b><br>Google Threat Intelligence Group says Russia is expanding AI-enabled influence operations beyond Ukraine to target the European Union and NATO, relyin

Bank Info Security
CRITICALVulnerabilityNEW

NVD CRITICAL: CVE-2026-58449 — txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint ...

txtai through 9.10.0, fixed in commit 11b32da, exposes an API /reindex endpoint whose function body parameter is resolved through txtai.util.Resolver, which performs __import__ and getattr on the caller-supplied dotted path with no allowlist. When the API is exposed with no TOKEN configured (authentication is opt-in, so all endpoints are unauthenticated) and the index is configured writable, a rem

CVE-2026-58449
NIST NVD
MEDIUMVulnerability

DICOM Toolkit Bugs Raise Medical Imaging Security Risks

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/under-embargo-till-3pm-et-630-dicom-toolkit-bugs-raise-medical-imaging-security-risks-image_small-1-a-32114.jpg" align=right hspace=4><b>Common AI Tools Helped Researcher Discover Hidden Flaws</b><br>Several newly identified vulnerabilities in a DICOM toolkit used in medical-imaging software could expose patient information, crash

Bank Info Security