CVE-2026-30462
Path Traversal in Daylight Studio FuelCMS Blocks Module
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| daylightstudio | fuelcms | 1.5.2 |
| daylight_studio | fuelcms | 1.5.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30462 is a path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS version 1.5.2. It allows an authenticated attacker to manipulate the 'Block View File' names to include path traversal sequences, enabling them to read arbitrary PHP files on the server.
The vulnerability arises because the Blocks module does not properly sanitize input for block view file names, and it automatically appends the .php extension. This flaw allows attackers to access sensitive files such as configuration and database files by uploading a block with a specially crafted name containing path traversal payloads.
Additionally, the Blocks controller handles file uploads and dynamic evaluation of variables in a way that could allow remote code execution or unauthorized content manipulation if exploited.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized disclosure of sensitive information and potential full system compromise.
- An attacker can read arbitrary PHP files on the server, including configuration and database files, exposing sensitive credentials.
- If the attacker obtains valid database credentials, they can extract all website information, reset admin passwords, promote users to admin, modify or delete website content, and corrupt critical database parts.
- This can lead to loss of confidentiality, integrity, and availability of the FuelCMS application and its data.
The vulnerability requires authentication and permission to send POST requests to the Blocks module, but once exploited, it can lead to high severity impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized or suspicious POST requests to the `/fuel/blocks/edit/` endpoint that include path traversal payloads in the "Name" field of block uploads.
A practical detection method is to monitor web server logs or use intrusion detection systems to identify POST requests containing sequences like `../../` in the block name parameter.
Example commands to detect such attempts include:
- Using grep to find suspicious POST requests in web server logs: `grep -i 'POST /fuel/blocks/edit/' /var/log/apache2/access.log | grep '\.\.\/'`
- Using curl to test the vulnerability by sending a crafted POST request with a path traversal payload in the block name field.
- Checking for unexpected or unauthorized block uploads or modifications in the FuelCMS Blocks module.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Blocks module to only trusted and authenticated users with necessary permissions.
Monitor and block suspicious POST requests to `/fuel/blocks/edit/` that contain path traversal sequences such as `../../`.
If possible, disable or restrict file upload functionality in the Blocks module to prevent uploading malicious or crafted block view files.
Implement web application firewall (WAF) rules to detect and block path traversal payloads targeting this endpoint.
Since no official patch is available, consider isolating or upgrading the CMS to a more secure version or alternative system if feasible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-30462 allows authenticated attackers to perform path traversal attacks to read arbitrary PHP files, including sensitive configuration files such as database credentials. This exposure of sensitive data can lead to unauthorized access, data breaches, and potential full system compromise.
Such unauthorized disclosure and potential manipulation of sensitive information can violate data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data confidentiality and integrity.
Because the vulnerability enables attackers to access and potentially modify sensitive data without authorization, organizations using the affected FuelCMS version may fail to meet compliance requirements related to data security, breach prevention, and incident response.
Furthermore, the lack of a patch and the possibility of full system compromise increase the risk of non-compliance with these standards.