CVE-2026-16219
Received Received - Intake

Path Traversal in Croogo CMS Admin File Manager

Vulnerability report for CVE-2026-16219, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A flaw has been found in Croogo CMS up to 4.0.7. This affects the function FileManager::isEditable of the file FileManager/src/Utility/FileManager.php of the component Admin File Manager. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
croogo croogo to 4.0.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16219 is a path traversal vulnerability in Croogo CMS up to version 4.0.7. It affects the FileManager component's FileManager::isEditable function, allowing authenticated users to bypass intended path restrictions and access or modify files outside the designated editable directory. The flaw stems from incorrect use of Configure::check() instead of Configure::read() for path validation, enabling arbitrary file writes.

Detection Guidance

Check Croogo CMS versions up to 4.0.7 for the vulnerable FileManager component. Inspect FileManager/src/Utility/FileManager.php for the isEditable function. Look for improper path validation using Configure::check() instead of Configure::read().

Review file access logs for unauthorized file writes or modifications outside intended directories like WWW_ROOT . 'assets'.

Impact Analysis

If exploited, this vulnerability could allow attackers to create or overwrite files in unintended locations. If the overwritten files are web-accessible and PHP-executable, it may lead to remote code execution. Attackers need valid admin credentials and a CSRF token to exploit this issue.

Compliance Impact

This vulnerability could lead to unauthorized file creation or modification outside intended directories, potentially exposing sensitive data. For GDPR, this may result in unauthorized access to personal data, violating principles of data protection and user consent. For HIPAA, it could allow unauthorized changes to protected health information, compromising confidentiality and integrity requirements.

Mitigation Strategies

Upgrade Croogo CMS to a version beyond 4.0.7 if available. If not, apply a patch to replace Configure::check() with Configure::read() in FileManager.php.

Restrict FileManager access to trusted administrators only. Monitor file system changes and disable write permissions for non-essential directories.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart