CVE-2026-32263

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7	Patch
https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7	Vendor Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

History

17 Mar 2026, 17:55

Type	Values Removed	Values Added
References	~~() https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7 -~~	() https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7 - Patch
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 - Vendor Advisory
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j - Patch, Vendor Advisory
First Time		Craftcms Craftcms craft Cms
CPE		cpe:2.3:a:craftcms:craft_cms::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2

16 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 20:16

Updated : 2026-03-17 17:55

NVD link : CVE-2026-32263

Mitre link : CVE-2026-32263

CVE.ORG link : CVE-2026-32263

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

{"id": "CVE-2026-32263", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-16T20:16:19.170", "references": [{"url": "https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-470"}]}], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via \"as\" or \"on\" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11."}], "lastModified": "2026-03-17T17:55:32.583", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E9E296E2-3127-4E71-9341-DFAD0ABC91D0", "versionEndExcluding": "5.9.11", "versionStartIncluding": "5.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}