Vulnerability in Craftcms Cms

CVE-2026-32264

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsCont…

EPSS: 0.000 (15.3th percentile) — read the EPSS interpretation.

Affected products

Craftcms Cms — versions >= 4.0.0-RC1, < 4.17.5, >= 5.0.0-RC1, < 5.9.11

Weakness classification (CWE)

CWE-470 — Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)

References

https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748 (x_refsource_CONFIRM)
https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 (x_refsource_MISC)
https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70 (x_refsource_MISC)
https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620 (x_refsource_MISC)