High severityNVD Advisory· Published Mar 16, 2026· Updated Mar 17, 2026
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
CVE-2026-32264
Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.17.5 | 4.17.5 |
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.9.11 | 5.9.11 |
Affected products
1Patches
278d181e12e0bFixed HSA-4484-8v2f-5748 part 2
1 file changed · +1 −0
src/controllers/FieldsController.php+1 −0 modified@@ -319,6 +319,7 @@ public function actionRenderSettings(): Response } }, ARRAY_FILTER_USE_KEY); + $settings = Component::cleanseConfig($settings); Typecast::properties($type, $settings); Craft::configure($field, $settings); }
dfec46362fcbFixed an RCE vulnerability
2 files changed · +6 −5
CHANGELOG.md+1 −0 modified@@ -3,6 +3,7 @@ ## Unreleased - Fixed a bug where the control panel requests could trigger an infinite browser redirect loop. ([#18420](https://github.com/craftcms/cms/issues/18420)) +- Fixed an RCE vulnerability. ## 4.17.4 - 2026-02-11
src/controllers/ElementIndexesController.php+5 −5 modified@@ -412,16 +412,16 @@ public function actionFilterHud(): Response $conditionsService = Craft::$app->getConditions(); + if (!$conditionConfig && $serialized) { + parse_str($serialized, $conditionConfig); + $conditionConfig = $conditionConfig['condition']; + } + if ($conditionConfig) { $conditionConfig = Component::cleanseConfig($conditionConfig); /** @var ElementConditionInterface $condition */ $condition = $conditionsService->createCondition($conditionConfig); - } elseif ($serialized) { - parse_str($serialized, $conditionConfig); - /** @var ElementConditionInterface $condition */ - $condition = $conditionsService->createCondition($conditionConfig['condition']); } else { - /** @var ElementConditionInterface $condition */ $condition = $this->elementType()::createCondition(); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4484-8v2f-5748ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32264ghsaADVISORY
- github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70ghsax_refsource_MISCWEB
- github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748ghsax_refsource_CONFIRMWEB
- github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.