CVE Tools
Sign in

CVE-2026-24749

Silverstripe Assets Module has a DBFile::getURL() permission bypass

Published: Apr 16, 2026Updated: Apr 28, 2026 Sources: CVE List NVDCWE-863
NVD MITRE
5.3CVSSMEDIUM
EPSS Score
0.4%
Top 68.6%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
No Fix Available

Description

The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the "public" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:LI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None
Open in CVSS calculator →

Weaknesses

CWE-863

Affected Products

silverstripe-assetssilverstripe
On-prem
Web & CMS Plugins / cms-core
silverstripecommercialWeb & CMS Pluginsaka silverstripe framework, silverstripe cms

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

No known exploits, KEV entries, or remediation guidance available for this vulnerability yet.

MITRE ATT&CK

2 techniques
Initial Access
View detailed technique mapping

References

https://github.com/silverstripe/silverstripe-assets/security/advisories/GHSA-jgcf-rf45-2f8v
github.com
https://www.silverstripe.org/download/security-releases/cve-2026-24749
silverstripe.org

Timeline

Published
Apr 16, 2026
Last Updated
Apr 28, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-24749 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows