CVE-2026-32731 is a critical path traversal vulnerability classified under CWE-22 affecting ApostropheCMS's import-export module versions prior to 3.5.3. The vulnerability exists in the extract() function within gzip.js, which uses fs.createWriteStream combined with path.join(exportPath, header.name) to write files extracted from a .tar.gz archive. The path.join() method does not sanitize or resolve traversal segments such as '../', allowing malicious archive entries to escape the intended extraction directory. This lack of canonical path validation enables an attacker with Global Content Modify permissions to upload a specially crafted .tar.gz file containing entries like '../../evil.js', resulting in arbitrary file writes anywhere accessible by the Node.js process on the host filesystem. Since content editors and site managers commonly have this permission, the attack surface includes a broad set of users with legitimate access to the CMS import functionality. The vulnerability can lead to arbitrary code execution, data tampering, or denial of service by overwriting critical files. The issue was publicly disclosed on March 18, 2026, with a maximum CVSS v3.1 score of 10.0, indicating critical severity. The ApostropheCMS team addressed the vulnerability in version 3.5.3 by implementing proper path sanitization and canonicalization before file extraction. No public exploits have been observed, but the ease of exploitation and high privileges required make this a significant threat to affected installations.

The impact of CVE-2026-32731 is severe for organizations using ApostropheCMS versions prior to 3.5.3, especially those assigning Global Content Modify permissions to multiple users. Successful exploitation allows attackers to write arbitrary files anywhere on the server filesystem accessible by the Node.js process, potentially leading to remote code execution, persistent backdoors, data corruption, or complete system compromise. This can result in loss of confidentiality, integrity, and availability of critical web content and backend systems. Organizations relying on ApostropheCMS for public-facing websites or internal portals face reputational damage, data breaches, and operational disruptions. Given the critical CVSS score and the common assignment of the required permission, the threat is widespread. Attackers could leverage this vulnerability to implant web shells, escalate privileges, or pivot within the network. The absence of user interaction beyond uploading a crafted archive and the network-exploitable nature further exacerbate the risk. Although no exploits are currently known in the wild, the vulnerability's characteristics make it a prime target for attackers once publicized.

Organizations should immediately upgrade the @apostrophecms/import-export module to version 3.5.3 or later, where the vulnerability is patched. Until the upgrade can be applied, restrict the Global Content Modify permission to the minimum number of trusted users to reduce the attack surface. Implement additional file upload validation controls at the application or web server level to detect and block archives containing path traversal sequences. Employ runtime application self-protection (RASP) or host-based intrusion detection systems (HIDS) to monitor suspicious file writes outside expected directories. Review and harden Node.js process permissions and filesystem access rights to limit the impact of potential arbitrary file writes. Conduct thorough audits of user roles and permissions within ApostropheCMS to ensure least privilege principles. Consider isolating the CMS environment in a container or sandboxed environment to contain potential exploitation. Monitor security advisories and logs for any signs of exploitation attempts related to this vulnerability.