Vulnerability in Craftcms Cms

CVE-2026-32263

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleans…

EPSS: 0.000 (15.2th percentile) — read the EPSS interpretation.

Affected products

Craftcms Cms — versions >= 5.6.0, < 5.9.11

Weakness classification (CWE)

CWE-470 — Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)

References

https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j (x_refsource_CONFIRM)
https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 (x_refsource_MISC)
https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7 (x_refsource_MISC)