ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction
- Severity:
- High
Description
Reported: 2026-03-08
Status: patched and released in version 3.5.3 of @apostrophecms/import-export
Recommendation
Update the @apostrophecms/import-export package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.5.2
- Patched version(s): 3.5.3
References
Related Issues
- SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory - CVE-2026-34522
- @appium/support has a Zip Slip arbitrary file write in its ZIP extraction - CVE-2026-30973
- Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read - CVE-2026-40163
- Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606
You might also like:
- Tags:
- npm
- @apostrophecms/import-export
Anything's wrong? Let us know Last updated on March 18, 2026