CVE-2026-32264— Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-32264
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
Source: NVD (National Vulnerability Database)
Vulnerability Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用外部可控制的输入来选择类或代码(不安全的反射)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Craft CMS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Craft CMS是Craft CMS开源的一套内容管理系统(CMS)。 Craft CMS 4.0.0-RC1至4.17.5之前版本和5.0.0-RC1至5.9.11之前版本存在安全漏洞,该漏洞源于ElementIndexesController和FieldsController中存在行为注入远程代码执行漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-32264
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-32264
请登录查看更多情报信息。
- Fixed an RCE vulnerability · craftcms/cms@dfec463 · GitHubx_refsource_MISC
- Fixed HSA-4484-8v2f-5748 part 2 · craftcms/cms@78d181e · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-32264
Same Patch Batch · craftcms · 2026-03-16 · 5 CVEs total
| CVE-2026-32261 | RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin | |
| CVE-2026-32263 | Craft CMS vulnerable to behavior injection RCE via EntryTypesController | |
| CVE-2026-32262 | Craft CMS has a Path Traversal Vulnerability in AssetsController | |
| CVE-2026-32267 | Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImperso |
IV. Related Vulnerabilities
Same product: cms
- CVE-2026-7508
Bootstrap CMS Page Creation show.blade.php code injection - CVE-2026-7317
Grav CMS Cache Value FileCache.php doGet deserialization - CVE-2026-7016
MaxSite CMS ushki Plugin cross site scripting - CVE-2026-7015
MaxSite CMS Guestbook Plugin cross site scripting - CVE-2026-7014
MaxSite CMS down_count Plugin cross site scripting
Same vendor: craftcms
- CVE-2026-41130
Craft CMS has a host header injection leading to SSRF via re - CVE-2026-41129
Craft CMS has Server-Side Request Forgery (SSRF) with Asset - CVE-2026-41128
Craft CMS has a Missing Authorization Check on User Group Re - CVE-2026-32272
Craft Commerce: Blind SQL Injection via hasVariant/hasProduc - CVE-2026-32271
Craft Commerce: SQL Injection can lead to Remote Code Execut
Same weakness: CWE-470
- CVE-2026-8178
Remote Code Execution via Unsafe Class Loading in Amazon Red - CVE-2026-44339
PraisonAI has unsafe tool resolution in `ToolExecutionMixin. - CVE-2026-42027
Apache OpenNLP: Arbitrary Class Instantiation via Model Mani - CVE-2026-41175
Statamic: Unsafe method invocation via query value resolutio - CVE-2018-25239
Smart VPN 1.1.3.0 Denial of Service via Search
V. Comments for CVE-2026-32264
No comments yet