CVE-2026-32567 identifies a path traversal vulnerability in the icopydoc YML for Yandex Market plugin, affecting all versions prior to 5.3.0. Path traversal vulnerabilities occur when an application improperly restricts file path inputs, allowing attackers to traverse directories outside the intended scope. In this case, the plugin fails to adequately limit pathname inputs, enabling an attacker to access files and directories beyond the designated restricted directory. This can lead to unauthorized reading or modification of server files, potentially exposing sensitive configuration files, credentials, or other critical data. The vulnerability was reserved and published in March 2026, with no CVSS score assigned and no known exploits in the wild at the time of reporting. The lack of authentication or user interaction requirements suggests that exploitation could be performed remotely and without credentials, increasing the attack surface. The plugin is used to generate or manage YML feeds for Yandex Market, a major e-commerce platform in Russia and surrounding regions, making it a valuable target for attackers seeking to compromise e-commerce infrastructure or data.

The primary impact of this vulnerability is unauthorized access to sensitive files on the server hosting the vulnerable plugin. Attackers exploiting this flaw could read confidential information such as configuration files, database credentials, or proprietary data, leading to confidentiality breaches. Additionally, if write access is possible, attackers could modify files to inject malicious code, escalate privileges, or disrupt service availability. For organizations relying on Yandex Market integrations, such compromises could result in data leakage, reputational damage, financial loss, and regulatory penalties. The ease of exploitation without authentication increases the risk of widespread attacks, especially in environments where the plugin is exposed to the internet. The absence of known exploits currently limits immediate impact but does not reduce the potential severity once exploit code becomes available.

Organizations should upgrade the icopydoc YML for Yandex Market plugin to version 5.3.0 or later as soon as a patch is released to address this vulnerability. Until a patch is available, implement strict input validation to sanitize and restrict file path parameters, ensuring they cannot traverse outside intended directories. Employ web application firewalls (WAFs) with rules to detect and block path traversal attempts. Restrict file system permissions for the web server user to the minimum necessary, preventing unauthorized file access even if traversal is attempted. Monitor logs for suspicious file access patterns indicative of traversal attacks. Conduct regular security assessments and code reviews focusing on file handling routines. Additionally, isolate the plugin environment to limit potential lateral movement in case of compromise.