CVE-2026-30462
Received Received - Intake
Path Traversal in Daylight Studio FuelCMS Blocks Module

Publication date: 2026-04-27

Last updated on: 2026-04-27

Assigner: MITRE

Description
A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30462
EUVD
EUVD-2026-25881
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
daylightstudio fuelcms 1.5.2
daylight_studio fuelcms 1.5.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30462 is a path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS version 1.5.2. It allows an authenticated attacker to manipulate the 'Block View File' names to include path traversal sequences, enabling them to read arbitrary PHP files on the server.

The vulnerability arises because the Blocks module does not properly sanitize input for block view file names, and it automatically appends the .php extension. This flaw allows attackers to access sensitive files such as configuration and database files by uploading a block with a specially crafted name containing path traversal payloads.

Additionally, the Blocks controller handles file uploads and dynamic evaluation of variables in a way that could allow remote code execution or unauthorized content manipulation if exploited.

Impact Analysis

This vulnerability can have serious impacts including unauthorized disclosure of sensitive information and potential full system compromise.

  • An attacker can read arbitrary PHP files on the server, including configuration and database files, exposing sensitive credentials.
  • If the attacker obtains valid database credentials, they can extract all website information, reset admin passwords, promote users to admin, modify or delete website content, and corrupt critical database parts.
  • This can lead to loss of confidentiality, integrity, and availability of the FuelCMS application and its data.

The vulnerability requires authentication and permission to send POST requests to the Blocks module, but once exploited, it can lead to high severity impacts.

Detection Guidance

This vulnerability can be detected by checking for unauthorized or suspicious POST requests to the `/fuel/blocks/edit/` endpoint that include path traversal payloads in the "Name" field of block uploads.

A practical detection method is to monitor web server logs or use intrusion detection systems to identify POST requests containing sequences like `../../` in the block name parameter.

Example commands to detect such attempts include:

  • Using grep to find suspicious POST requests in web server logs: `grep -i 'POST /fuel/blocks/edit/' /var/log/apache2/access.log | grep '\.\.\/'`
  • Using curl to test the vulnerability by sending a crafted POST request with a path traversal payload in the block name field.
  • Checking for unexpected or unauthorized block uploads or modifications in the FuelCMS Blocks module.
Mitigation Strategies

Immediate mitigation steps include restricting access to the Blocks module to only trusted and authenticated users with necessary permissions.

Monitor and block suspicious POST requests to `/fuel/blocks/edit/` that contain path traversal sequences such as `../../`.

If possible, disable or restrict file upload functionality in the Blocks module to prevent uploading malicious or crafted block view files.

Implement web application firewall (WAF) rules to detect and block path traversal payloads targeting this endpoint.

Since no official patch is available, consider isolating or upgrading the CMS to a more secure version or alternative system if feasible.

Compliance Impact

CVE-2026-30462 allows authenticated attackers to perform path traversal attacks to read arbitrary PHP files, including sensitive configuration files such as database credentials. This exposure of sensitive data can lead to unauthorized access, data breaches, and potential full system compromise.

Such unauthorized disclosure and potential manipulation of sensitive information can violate data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data confidentiality and integrity.

Because the vulnerability enables attackers to access and potentially modify sensitive data without authorization, organizations using the affected FuelCMS version may fail to meet compliance requirements related to data security, breach prevention, and incident response.

Furthermore, the lack of a patch and the possibility of full system compromise increase the risk of non-compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30462. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart