Craft CMS vulnerable to behavior injection RCE via EntryTypesController
Description
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS 5.6.0–5.9.10 has an authenticated RCE via behavior injection in EntryTypesController due to unsanitized configuration data.
Vulnerability
Overview In Craft CMS versions 5.6.0 through 5.9.10, the EntryTypesController.php file passes the $settings array from parse_str directly to Craft::configure() without sanitization via Component::cleanseConfig(). This allows an attacker to inject Yii2 behavior or event handlers using keys prefixed with "as" or "on", leading to arbitrary code execution [1][2].
Exploitation
To exploit this, an attacker must have Craft control panel administrator permissions and the allowAdminChanges configuration must be enabled. By crafting a POST request to the affected endpoint with malicious settings parameters, the attacker can inject a behavior such as AttributeTypecastBehavior that triggers PHP code execution via callbacks like typecastAfterValidate. This is an unpatched variant of previous vulnerabilities (GHSA-255j-qw47-wjh5) affecting a different code path [2].
Impact
Successful exploitation allows an authenticated administrator to execute arbitrary system commands on the server, leading to full compromise of the Craft CMS installation and potentially the underlying server [2].
Mitigation
The vulnerability is patched in Craft CMS version 5.9.11 [1]. All users running affected versions should upgrade immediately. The fix includes using Component::cleanseConfig() to sanitize user-supplied configuration before passing it to Craft::configure() [4]. There are no known workarounds for this issue.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.6.0, < 5.9.11 | 5.9.11 |
Affected products
2Patches
1d37389dbffafFixed GHSA-qx2q-q59v-wf3j
2 files changed · +3 −1
CHANGELOG.md+1 −1 modified@@ -7,7 +7,7 @@ - Impoved the performance of `craft\helpers\Typecast`. ([#18426](https://github.com/craftcms/cms/pull/18426)) - Fixed a bug where some Matrix bulk action labels weren’t getting translated. - Fixed a bug where global nav items weren’t showing an icon if the icon was set to `0`. -- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) RCE vulnerability. (GHSA-4484-8v2f-5748) +- Fixed [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) RCE vulnerabilities. (GHSA-4484-8v2f-5748, GHSA-qx2q-q59v-wf3j) ## 5.9.10 - 2026-02-12
src/controllers/EntryTypesController.php+2 −0 modified@@ -16,6 +16,7 @@ use craft\enums\Color; use craft\fieldlayoutelements\entries\EntryTitleField; use craft\helpers\ArrayHelper; +use craft\helpers\Component; use craft\helpers\Cp; use craft\helpers\Html; use craft\helpers\StringHelper; @@ -384,6 +385,7 @@ public function actionApplyOverrideSettings(): Response $settings = array_filter(ArrayHelper::getValue($postedSettings, $settingsNamespace, [])); if (!empty($settings)) { + $settings = Component::cleanseConfig($settings); Craft::configure($entryType, $settings); $entryType->validateHandleUniqueness = false;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-qx2q-q59v-wf3jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32263ghsaADVISORY
- github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.