CVE-2026-32263
published 2026-03-16CVE-2026-32263: Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array…
PriorityP345high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.50%
38.9th percentile
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | >= 5.6.0 < 5.9.11 | 5.9.11 |
| craftcms | craft_cms | >= 5.6.0 < 5.9.11 | 5.9.11 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS vulnerable to behavior injection RCE via EntryTypesController
osv·2026-03-16
CVE-2026-32263 [HIGH] Craft CMS vulnerable to behavior injection RCE via EntryTypesController
Craft CMS vulnerable to behavior injection RCE via EntryTypesController
The fix for GHSA-7jx7-3846-m7w7 (commit 395c64f0b80b507be1c862a2ec942eaacb353748) only patched `src/services/Fields.php`, but the same vulnerable pattern exists in `EntryTypesController::actionApplyOverrideSettings()`.
In `src/controllers/EntryTypesController.php` lines 381-387:
```php
$settingsStr = $this->request->getBodyParam('settings');
parse_str($settingsStr, $postedSettings);
$settingsNamespace = $this->request->getRequiredBodyParam('settingsNamespace');
$settings = array_filter(ArrayHelper::getValue($postedSettings, $settingsNamespace, []));
if (!empty($settings)) {
Craft::configure($entryType, $settings);
```
The `$settings` array from `parse_str` is passed directly to `Craft::configure()` without `Compon
GHSA
Craft CMS vulnerable to behavior injection RCE via EntryTypesController
ghsa·2026-03-16
CVE-2026-32263 [HIGH] CWE-470 Craft CMS vulnerable to behavior injection RCE via EntryTypesController
Craft CMS vulnerable to behavior injection RCE via EntryTypesController
The fix for GHSA-7jx7-3846-m7w7 (commit 395c64f0b80b507be1c862a2ec942eaacb353748) only patched `src/services/Fields.php`, but the same vulnerable pattern exists in `EntryTypesController::actionApplyOverrideSettings()`.
In `src/controllers/EntryTypesController.php` lines 381-387:
```php
$settingsStr = $this->request->getBodyParam('settings');
parse_str($settingsStr, $postedSettings);
$settingsNamespace = $this->request->getRequiredBodyParam('settingsNamespace');
$settings = array_filter(ArrayHelper::getValue($postedSettings, $settingsNamespace, []));
if (!empty($settings)) {
Craft::configure($entryType, $settings);
```
The `$settings` array from `parse_str` is passed directly to `Craft::configure()` without `Compon
No detection rules found.
No public exploits indexed.
2026-03-16
Published