CVE-2026-24749— Silverstripe Assets Module has a DBFile::getURL() permission bypass
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-24749
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Silverstripe Assets Module has a DBFile::getURL() permission bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the "public" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
SilverStripe Assets Module 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SilverStripe Assets Module是新西兰SilverStripe公司的一个 SilverStripe 框架的资产组件。 Silverstripe Assets Module 2.4.5之前版本和3.0.0-rc1至3.1.2版本存在安全漏洞,该漏洞源于错误添加访问授权,可能导致绕过文件权限。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| silverstripe | silverstripe-assets | < 2.4.5 | - |
II. Public POCs for CVE-2026-24749
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-24749
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: silverstripe
- CVE-2025-30148
Silverstripe Framework has a XSS vulnerability in HTML edito - CVE-2025-25197
Silverstripe Elemental enables XSS attacks in elemental "Con - CVE-2024-53277
Cross-site Scripting in form messages in silverstripe framew - CVE-2024-47605
Cross-site Scripting via insert media remote file oembed in - CVE-2024-32981
Cross-site Scripting vulnerability with encoded payload in s
Same weakness: CWE-863
- CVE-2026-42571
Privilege Escalation Attack affecting Pelican Web UI - CVE-2025-15633
HCL BigFix WebUI is affected by an improper authorization vu - CVE-2026-42296
Argo Workflows has incomplete fix for CVE-2026-31892: hostNe - CVE-2025-66170
Apache CloudStack: Any user can list backups that they shoul - CVE-2026-41903
FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifyi
V. Comments for CVE-2026-24749
No comments yet