CVE-2026-32264Unsafe Reflection in Craft CMS

CWE-470Unsafe Reflection5 documents5 sources
Severity
8.6HIGHNVD
EPSS
0.0%
top 86.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedMar 16

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

Packagistcraftcms/cms4.0.0-RC14.17.5+1
NVDcraftcms/craft_cms4.0.0.14.17.5+3
CVEListV5craftcms/cms>= 4.0.0-RC1, < 4.17.5, >= 5.0.0-RC1, < 5.9.11+1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController2026-03-16
OSV
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController2026-03-16
CVEList
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController2026-03-16

🕵️Threat Intelligence

1
Wiz
CVE-2026-32264 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-32264 — Unsafe Reflection in Craft CMS | cvebase