A vulnerability labeled as critical has been found in Craft CMS up to 4.17.4/5.9.10 . This affects the function replaceFile . Such manipulation of the argument targetFilename leads to path traversal. This vulnerability is documented as CVE-2026-32262 . The attack can be executed remotely. There is not any exploit available. The affected component should be upgraded.