Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
Published: 2026-03-16
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

Craft CMS is a content management system. From version 4.0.0-RC1 to before 4.17.5 and from version 5.0.0-RC1 to before 5.9.11, a behavior injection remote code execution vulnerability exists in the ElementIndexesController and FieldsController. When an authenticated control panel administrator with the allowAdminChanges setting enabled submits a crafted request, arbitrary PHP code can be injected and executed on the server, leading to remote code execution. This is a CWE-470 type weakness – the use of a dangerous function allows untrusted code execution.

Affected Systems

Affected systems are all installations of Craft CMS (craftcms:cms). The vulnerability applies to all releases from 4.0.0-RC1 through 4.17.4 inclusive and from 5.0.0-RC1 through 5.9.10 inclusive. The corresponding CPE entries indicate that versions 4.0.0 to 4.17.4 and 5.0.0 to 5.9.10 are affected.

Risk and Exploitability

The CVSS base score of 8.6 indicates a high severity issue, and although the EPSS score is reported as less than 1%, the vulnerability remains a serious risk because it requires only a privileged account with the allowAdminChanges setting. The flaw is not currently listed in the CISA KEV catalog, but if exploited it would allow an attacker to gain full control over the web application server. Given the severity rating and the ease of exploitation for an authenticated admin, the recommendation is to patch immediately.

Generated by OpenCVE AI on March 17, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Craft CMS patch by upgrading to version 4.17.5 or newer, or 5.9.11 or newer.
  • If an upgrade cannot be performed immediately, temporarily disable the allowAdminChanges setting and restrict administrative privileges until the patch is applied.
  • Verify that no legacy code or custom behaviors that could trigger the injection remain on the system.
  • Monitor logs for suspicious activity and document that the issue has been remediated.

Generated by OpenCVE AI on March 17, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4484-8v2f-5748 Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
History

Tue, 17 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
Title Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
Weaknesses CWE-470
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T15:20:28.421Z

Reserved: 2026-03-11T15:05:48.397Z

Link: CVE-2026-32264

cve-icon Vulnrichment

Updated: 2026-03-17T15:20:24.564Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T20:16:19.327

Modified: 2026-03-17T17:53:45.057

Link: CVE-2026-32264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:57Z

Weaknesses