← Retour aux CVEs

CVE-2026-32264

HIGH

7.2

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.

Details CVE

Score CVSS v3.17.2

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisHIGH

Interaction utilisateurNONE

Publie3/16/2026

Derniere modification3/17/2026

Sourcenvd

Observations honeypot0

Produits affectes

craftcms:craft_cms

Faiblesses (CWE)

CWE-470

References

https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70(security-advisories@github.com)

https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620(security-advisories@github.com)

https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748(security-advisories@github.com)

https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.