CVE-2026-32264

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70	Patch
https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620	Patch
https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748	Patch Vendor Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

17 Mar 2026, 17:53

Type	Values Removed	Values Added
References	~~() https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70 -~~	() https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70 - Patch
References	~~() https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620 -~~	() https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620 - Patch
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748 -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748 - Patch, Vendor Advisory
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 - Vendor Advisory
First Time		Craftcms Craftcms craft Cms
CPE		cpe:2.3:a:craftcms:craft_cms:::::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2

16 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 20:16

Updated : 2026-03-17 17:53

NVD link : CVE-2026-32264

Mitre link : CVE-2026-32264

CVE.ORG link : CVE-2026-32264

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

7.2 /10