CVE-2026-49133 typemill CVE debrief

Who should care

Administrators and users of Typemill versions prior to 2.24.0 should be aware of this vulnerability. Specifically, those with Author-level privileges are at risk of being exploited. Additionally, security teams and IT professionals responsible for maintaining Typemill installations should prioritize patching to prevent potential data breaches.

Technical summary

The vulnerability exists in the Storage::getFile() method of Typemill, where an empty folder argument allows attackers to bypass traversal-prevention controls in Storage::getFolderPath(). By supplying traversal sequences in the path query parameter, attackers can access sensitive files outside the content directory. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High

Recommended defensive actions

• Update Typemill to version 2.24.2 or later
• Restrict Author-level privileges to minimize risk
• Monitor for suspicious file access attempts
• Implement additional access controls and file system restrictions
• Regularly review and update software dependencies
• Consider using a Web Application Firewall (WAF) to detect and prevent attacks
• Perform a thorough security audit of the Typemill installation

Evidence notes

The vulnerability was publicly disclosed on June 17, 2026, and patched in version 2.24.2. The CVE record and NVD detail provide additional information on the vulnerability. References to the disclosure and patch can be found at [ref-4], [ref-5], and [ref-6].

Official resources