Description
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.
Published: 2026-03-16
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in Craft CMS's EntryTypesController where an array of settings parsed from a query string is passed directly to Craft::configure without cleansing. This allows a malicious actor to inject Yii2 behavior and event handler definitions through keys prefixed with "as" or "on", effectively enabling code execution. Comprised of a CWE-470 flaw, the impact is Remote Code Execution when the attacker can supply input that is processed by the controller.

Affected Systems

The flaw affects Craft CMS versions from 5.6.0 up to but not including 5.9.11. The affected product series is craftcms:cms, as listed in the vendor data. Any site running a version within this range is vulnerable.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity. The EPSS score of less than 1% suggests low current exploitation probability, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires that Craft control panel administrator permissions are enabled and the allowAdminChanges setting is true, allowing the attack to occur through the control panel interface. If those conditions are met, an attacker could achieve complete code execution on the affected system.

Generated by OpenCVE AI on March 17, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Craft CMS 5.9.11 or newer patch to remediate the RCE flaw.
  • If immediate patching is not possible, disable the allowAdminChanges setting or remove admin privileges to prevent exploitation.

Generated by OpenCVE AI on March 17, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qx2q-q59v-wf3j Craft CMS vulnerable to behavior injection RCE via EntryTypesController
History

Tue, 17 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.
Title Craft CMS vulnerable to behavior injection RCE via EntryTypesController
Weaknesses CWE-470
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T15:21:16.718Z

Reserved: 2026-03-11T15:05:48.397Z

Link: CVE-2026-32263

cve-icon Vulnrichment

Updated: 2026-03-17T15:21:12.626Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T20:16:19.170

Modified: 2026-03-17T17:55:32.583

Link: CVE-2026-32263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:58Z

Weaknesses