CVE-2026-32264

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-32264
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32264.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32264
Aliases
Related
Published
2026-03-16T19:02:22.720Z
Modified
2026-04-10T05:42:22.014765Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
Details

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.

Database specific 
{
    "cwe_ids": [
        "CWE-470"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32264.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/craftcms/cms

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/cms
Events
Introduced
daac7c1da2f701f2e9ddee1da1457ce61660b581
Fixed
e370b5a098420ef2fe9c569c17ed2bfe047bebd9
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.17.5"
        }
    ]
}
Type
GIT
Repo
https://github.com/craftcms/cms
Events
Introduced
04755d93f86d07cc183db47db8a0eee106892e30
Fixed
7882526a2a26ab6d515604b7f0a0a04eb1760e25
Database specific 
{
    "versions": [
        {
            "introduced": "5.0.0-RC1"
        },
        {
            "fixed": "5.9.11"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32264.json"