CVE-2026-32263— Craft CMS vulnerable to behavior injection RCE via EntryTypesController
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-32263
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Craft CMS vulnerable to behavior injection RCE via EntryTypesController
Source: NVD (National Vulnerability Database)
Vulnerability Description
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用外部可控制的输入来选择类或代码(不安全的反射)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Craft CMS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Craft CMS是Craft CMS开源的一套内容管理系统(CMS)。 Craft CMS 5.6.0至5.9.11之前版本存在安全漏洞,该漏洞源于src/controllers/EntryTypesController.php中parse_str返回的$settings数组未经Component::cleanseConfig处理直接传递给Craft::configure,可能导致通过as或on前缀键注入Yii2行为或事件处理器。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-32263
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-32263
请登录查看更多情报信息。
- Fixed GHSA-qx2q-q59v-wf3j · craftcms/cms@d37389d · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-32263
Same Patch Batch · craftcms · 2026-03-16 · 5 CVEs total
| CVE-2026-32261 | RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin | |
| CVE-2026-32264 | Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsControll | |
| CVE-2026-32262 | Craft CMS has a Path Traversal Vulnerability in AssetsController | |
| CVE-2026-32267 | Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImperso |
IV. Related Vulnerabilities
Same product: cms
- CVE-2026-7508
Bootstrap CMS Page Creation show.blade.php code injection - CVE-2026-7317
Grav CMS Cache Value FileCache.php doGet deserialization - CVE-2026-7016
MaxSite CMS ushki Plugin cross site scripting - CVE-2026-7015
MaxSite CMS Guestbook Plugin cross site scripting - CVE-2026-7014
MaxSite CMS down_count Plugin cross site scripting
Same vendor: craftcms
- CVE-2026-41130
Craft CMS has a host header injection leading to SSRF via re - CVE-2026-41129
Craft CMS has Server-Side Request Forgery (SSRF) with Asset - CVE-2026-41128
Craft CMS has a Missing Authorization Check on User Group Re - CVE-2026-32272
Craft Commerce: Blind SQL Injection via hasVariant/hasProduc - CVE-2026-32271
Craft Commerce: SQL Injection can lead to Remote Code Execut
Same weakness: CWE-470
- CVE-2026-8178
Remote Code Execution via Unsafe Class Loading in Amazon Red - CVE-2026-44339
PraisonAI has unsafe tool resolution in `ToolExecutionMixin. - CVE-2026-42027
Apache OpenNLP: Arbitrary Class Instantiation via Model Mani - CVE-2026-41175
Statamic: Unsafe method invocation via query value resolutio - CVE-2018-25239
Smart VPN 1.1.3.0 Denial of Service via Search
V. Comments for CVE-2026-32263
No comments yet