CVE-2026-32264 | THREATINT

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.

PUBLISHED Reserved 2026-03-11 | Published 2026-03-16 | Updated 2026-03-17 | Assigner GitHub_M

HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Product status

>= 4.0.0-RC1, < 4.17.5

affected

>= 5.0.0-RC1, < 5.9.11

affected

References

github.com/...ms/cms/security/advisories/GHSA-4484-8v2f-5748

github.com/...ms/cms/security/advisories/GHSA-7jx7-3846-m7w7

github.com/...ommit/78d181e12e0b15e1300f54ec85f19859d3300f70

github.com/...ommit/dfec46362fcb40b330ce8a4d8136446e65085620

cve.org (CVE-2026-32264)

nvd.nist.gov (CVE-2026-32264)

Download JSON