Description
Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions. This is possible even if allowAdminChanges is set to false. This issue has been patched in version 3.2.0.
Published: 2026-03-16
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The Webhooks plugin for Craft CMS, versions 3.0.0 through 3.1.x, renders user‑supplied template content via Twig’s renderString() without any sandbox protection. This implementation flaw lets an authenticated user who can access the plugin through the Craft control panel inject arbitrary Twig code that invokes any PHP function. Consequently, an attacker can execute arbitrary server‑side code, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

All installations of the Webhooks plugin from version 3.0.0 up to, but not including, 3.2.0 are affected. Users with control‑panel access and the appropriate permissions to manage the plugin are required to exploit the flaw; the issue persists even when the allowAdminChanges setting is disabled.

Risk and Exploitability

The CVSS score of 8.5 signals a high‑severity vulnerability. EPSS data is unavailable, and the issue is not listed in CISA’s KEV catalog. Exploitation requires authenticated access with plugin permissions, but does not depend on remote network access if the attacker can reach the control panel. Given the severity and lack of mitigation in older versions, the risk to affected installations is significant.

Generated by OpenCVE AI on March 16, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Webhooks plugin to version 3.2.0 or newer, where the vulnerability is fixed.
  • If an upgrade cannot be applied immediately, disable the Webhooks plugin or set it to read‑only mode to prevent template rendering.
  • Restrict control‑panel access so that only trusted, least‑privilege users have permissions to manage the Webhooks plugin.
  • Audit other Craft CMS plugins that use Twig’s renderString() without sandbox protection and apply available patches or restrictions.

Generated by OpenCVE AI on March 16, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8wg7-wm29-2rvg RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin
History

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms webhooks
Vendors & Products Craftcms
Craftcms webhooks

Mon, 16 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions. This is possible even if allowAdminChanges is set to false. This issue has been patched in version 3.2.0.
Title RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Webhooks
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T19:27:05.370Z

Reserved: 2026-03-11T15:05:48.397Z

Link: CVE-2026-32261

cve-icon Vulnrichment

Updated: 2026-03-16T19:26:53.273Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T19:16:17.577

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-32261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:50:00Z

Weaknesses