Path Traversal Vulnerability in Croogo CMS Admin File Manager
CVE-2026-16219
Key Information:
Badges
What is CVE-2026-16219?
A vulnerability has been identified in Croogo CMS versions up to 4.0.7, specifically within the FileManager::isEditable function located in FileManager/src/Utility/FileManager.php. This flaw allows an attacker to perform path traversal attacks, which can lead to unauthorized access to sensitive files on the server. This security issue can be exploited remotely, enabling malicious actors to manipulate file access controls without physical access to the server. Although the project was notified of this issue through an early report, there has been no public response or remediation from the Croogo team.
Affected Version(s)
CMS 4.0.0
CMS 4.0.1
CMS 4.0.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
