CVE-2026-32264
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
| CWE | CWE-470 |
| Vendor | craftcms |
| Product | cms |
| Published | Mar 16, 2026 |
| Last Updated | Mar 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms cms
Be the first to know when new unknown vulnerabilities affecting craftcms cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
craftcms / cms
>= 4.0.0-RC1, < 4.17.5 >= 5.0.0-RC1, < 5.9.11
References
github.com: https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748 github.com: https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 github.com: https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70 github.com: https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620