CVE-2026-32263

Source
https://cve.org/CVERecord?id=CVE-2026-32263
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32263.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32263
Aliases
Related
Published
2026-03-16T18:57:50.342Z
Modified
2026-07-15T01:49:19.314646817Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Craft CMS vulnerable to behavior injection RCE via EntryTypesController
Details

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-470"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32263.json"
}
References

Affected packages

Git / github.com/craftcms/cms

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/cms
Events
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "5.6.0"
        },
        {
            "fixed": "5.9.11"
        }
    ],
    "cpe": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*"
}

Affected versions

5.*
5.6.0
5.6.0.1
5.6.0.2
5.6.1
5.6.10
5.6.10.1
5.6.10.2
5.6.11
5.6.12
5.6.13
5.6.14
5.6.15
5.6.16
5.6.17
5.6.2
5.6.3
5.6.4
5.6.5
5.6.5.1
5.6.6
5.6.7
5.6.8
5.6.9
5.6.9.1
5.7.0
5.7.1
5.7.1.1
5.7.10
5.7.11
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.8.1
5.7.8.2
5.7.9
5.8.0
5.8.1
5.8.10
5.8.11
5.8.12
5.8.13
5.8.13.1
5.8.13.2
5.8.14
5.8.15
5.8.16
5.8.17
5.8.18
5.8.19
5.8.2
5.8.20
5.8.21
5.8.22
5.8.23
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.8.8
5.8.9
5.9.0
5.9.0-beta.1
5.9.0-beta.2
5.9.1
5.9.10
5.9.2
5.9.3
5.9.4
5.9.5
5.9.6
5.9.7
5.9.8
5.9.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32263.json"