CVE-2026-45233

HTMLy CMS 3.1.1 Path Traversal via oldfile Parameter in Autosave

CVSS 7.2 HIGHEPSS 0.6%CWE-22

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 7.2EPSS 0.6%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

25 Jun 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint. Attackers can pass unsanitized traversal sequences directly to file_exists() and rename() functions in admin.php without canonicalization or directory boundary enforcement to cause unintended relocation of any file writable by the web server process to an attacker-specified draft location.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

danpros · htmly

public PoCs found — 1

cve_referencegist.github.com/mrgr4yhat/c4df971eafa272ac8c86c15e2829b7feunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://gist.github.com/mrgr4yhat/c4df971eafa272ac8c86c15e2829b7fe https://www.vulncheck.com/advisories/htmly-cms-path-traversal-via-oldfile-parameter-in-autosave