8.6
CVE-2026-32264
- EPSS 0.52%
- Veröffentlicht 16.03.2026 19:02:22
- Zuletzt bearbeitet 17.03.2026 17:53:45
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.52% | 0.397 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 8.6 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748
https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70
https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620