CVE-2026-32264

HIGH

Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController

Title source: cna

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.

References (4)

Core 4

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748

X_Refsource_Misc x_refsource_misc

https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7

X_Refsource_Misc x_refsource_misc

https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620

View Writeup ZIP pw:eip

Scores

CVSS v3 7.2

EPSS 0.0052

EPSS Percentile 39.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-470

Status published

Products (6)

craftcms/cms 4.0.0-RC1 - 4.17.5Packagist

craftcms/cms >= 4.0.0-RC1, < 4.17.5

craftcms/cms >= 5.0.0-RC1, < 5.9.11

craftcms/craft_cms 4.0.0 (4 CPE variants)

craftcms/craft_cms 5.0.0 (2 CPE variants)

craftcms/craft_cms 4.0.0.1 - 4.17.5

Published Mar 16, 2026

Tracked Since Mar 17, 2026