CVE-2026-32264

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*

History

17 Jun 2026, 10:35

Type Values Removed Values Added
Summary
  • (es) Craft CMS es un sistema de gestión de contenido (CMS). Desde la versión 4.0.0-RC1 hasta antes de la versión 4.17.5 y desde la versión 5.0.0-RC1 hasta antes de la versión 5.9.11, existe una vulnerabilidad de RCE por inyección de comportamiento en ElementIndexesController y FieldsController. Los permisos de administrador del panel de control de Craft y allowAdminChanges deben estar habilitados para que esto funcione. Este problema ha sido parcheado en las versiones 4.17.5 y 5.9.11.

17 Mar 2026, 17:53

Type Values Removed Values Added
CPE cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.2
References () https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70 - () https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70 - Patch
References () https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620 - () https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620 - Patch
References () https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748 - () https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748 - Patch, Vendor Advisory
References () https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 - () https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 - Vendor Advisory
First Time Craftcms
Craftcms craft Cms

16 Mar 2026, 20:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-03-16 20:16

Updated : 2026-06-17 10:35


NVD link : CVE-2026-32264

Mitre link : CVE-2026-32264

CVE.ORG link : CVE-2026-32264


JSON object : View

Products Affected

craftcms

  • craft_cms
CWE
CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')