Description
Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.
Published: 2026-03-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Craft CMS’s conditions system passes user-controlled input to the Twig renderObjectTemplate() function without sandboxing or escaping, a flaw classified as CWE-94. An attacker can craft a condition rule and send it through standard element listing endpoints to execute arbitrary code on the server, achieving full control over the site once the exploit is triggered.

Affected Systems

The vulnerability affects all authenticated Control Panel users—including non‑admin roles such as Author or Editor—on Craft CMS versions prior to 5.9.9 (CMS 5.x) and 4.17.4 (CMS 4.x). The affected product is listed under the provided CPE identifiers for craftcms:craft_cms across the 4.0.0‑to‑5.0.0 series.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is <1 %, but the requirement of only normal authentication makes it realistic for sites exposing a CP to many users. The vulnerability is not in CISA’s KEV catalog. Exploitation requires valid CP credentials; no additional privilege escalation or network exploitation is needed. The risk is significant for organizations with exposed control panels and fine‑grained user roles. The attack vector is via authenticated CP access rather than remote network exposure.

Generated by OpenCVE AI on March 17, 2026 at 17:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Craft CMS to version 5.9.9 or 4.17.4 (or newer) to eliminate the unsandboxed rendering pathway.

Generated by OpenCVE AI on March 17, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fp5j-j7j4-mcxc CraftCMS has an RCE vulnerability via relational conditionals in the control panel
History

Tue, 17 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 11 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.
Title CraftCMS has an RCE vulnerability via relational conditionals in the control panel
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T14:02:26.953Z

Reserved: 2026-03-09T19:02:25.011Z

Link: CVE-2026-31857

cve-icon Vulnrichment

Updated: 2026-03-12T14:02:22.690Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:24.360

Modified: 2026-03-17T14:15:46.283

Link: CVE-2026-31857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:14Z

Weaknesses