ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction
- Severity:
- High
Description
Reported: 2026-03-08
Status: patched and released in version 3.5.3 of @apostrophecms/import-export
Recommendation
Update the @apostrophecms/import-export package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.5.2
- Patched version(s): 3.5.3
References
Related Issues
- @appium/support has a Zip Slip arbitrary file write in its ZIP extraction - CVE-2026-30973
- Rollup 4 has Arbitrary File Write via Path Traversal - CVE-2026-27606
- @mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools - CVE-2026-33989
- liquidjs has a path traversal fallback vulnerability - CVE-2026-30952
- Tags:
- npm
- @apostrophecms/import-export
Anything's wrong? Let us know Last updated on March 18, 2026