Images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions.
This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert().
Note that if you use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if you were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If you do not want to explicitly provide access grants for these files (i.e. you want these files to be accessible by default), you should use the "public" visibility.
Restruct web & apps
| Score | Percentile |
|---|---|
| 0.04% | 11.46% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.3 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-jgcf-rf45-2f8v ↗ |
| CVE | CVE-2026-24749 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | silverstripe/assets | < 2.4.5 | 2.4.5 | — |
| composer | silverstripe/assets | >= 3.0.0, < 3.1.3 | 3.1.3 | — |