CVE-2026-32263
Yii2 Behavior Injection in Craft CMS EntryTypesController (Pre
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | From 5.6.0 (inc) to 5.9.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-470 | The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32263 is a remote code execution (RCE) vulnerability in Craft CMS versions 5.6.0 to before 5.9.11. The issue arises because the application takes a settings array parsed from user input and passes it directly to a configuration method without proper sanitization. Specifically, the $settings array from parse_str is passed to Craft::configure() without cleansing via Component::cleanseConfig(). This allows an attacker to inject Yii2 behavior or event handlers using specially crafted keys prefixed with "as" or "on".'}, {'type': 'paragraph', 'content': 'To exploit this vulnerability, an attacker must have Craft control panel administrator permissions and the allowAdminChanges setting must be enabled. The vulnerability enables the attacker to execute arbitrary code remotely by injecting malicious configuration data.'}, {'type': 'paragraph', 'content': 'The vulnerability was patched in Craft CMS version 5.9.11 by adding a sanitization step that cleanses the configuration data before it is applied.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the affected Craft CMS system. An attacker with administrator permissions and the allowAdminChanges setting enabled can inject malicious behavior or event handlers, potentially taking full control of the CMS.
The impact includes unauthorized execution of arbitrary code, which can compromise the integrity, confidentiality, and availability of the system and its data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unsafe handling of configuration data in Craft CMS versions 5.6.0 to before 5.9.11, specifically in the EntryTypesController.php file where the $settings array from parse_str is passed without sanitization. Detection would involve checking if your Craft CMS installation is within the vulnerable version range and if the vulnerable code pattern exists.'}, {'type': 'paragraph', 'content': 'You can detect the vulnerability by verifying the installed Craft CMS version and inspecting the presence of the unsafe code pattern in the file src/controllers/EntryTypesController.php, particularly in the actionApplyOverrideSettings() method.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerability on your system include:'}, {'type': 'list_item', 'content': 'Check the installed Craft CMS version (replace path as needed):\n php craft --version'}, {'type': 'list_item', 'content': "Search for the vulnerable code pattern in the source code:\n grep -A 5 'function actionApplyOverrideSettings' path/to/craftcms/src/controllers/EntryTypesController.php"}, {'type': 'list_item', 'content': "Look for usage of parse_str and Craft::configure without cleansing:\n grep -E 'parse_str|Craft::configure' path/to/craftcms/src/controllers/EntryTypesController.php"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual administrator activity or unexpected behavior in the control panel could indicate exploitation attempts, but no specific network detection commands are provided in the resources.'}] [2, 1]
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update Craft CMS to version 5.9.11 or later, where the vulnerability has been patched by adding sanitization of the $settings array using Component::cleanseConfig() before applying configuration changes.
If updating immediately is not possible, ensure that only trusted users have control panel administrator permissions and that the allowAdminChanges setting is disabled to reduce the risk of exploitation.
Review and restrict access to the Craft CMS control panel to prevent unauthorized users from exploiting this vulnerability.