CVE-2026-32263 — Unsafe Reflection in Craft CMS

CWE-470 — Unsafe Reflection5 documents5 sources

Severity

8.6HIGHNVD

EPSS

0.0%

top 86.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedMar 16

Description

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has b…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Packagistcraftcms/cms5.6.0 — 5.9.11

▶NVDcraftcms/craft_cms5.6.0 — 5.9.11

▶CVEListV5craftcms/cms>= 5.6.0, < 5.9.11

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Craft CMS vulnerable to behavior injection RCE via EntryTypesController↗2026-03-16

▶

CVEList

Craft CMS vulnerable to behavior injection RCE via EntryTypesController↗2026-03-16

▶

GHSA

Craft CMS vulnerable to behavior injection RCE via EntryTypesController↗2026-03-16

▶

🕵️Threat Intelligence

Wiz

CVE-2026-32263 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶