7.2 CVE-2026-32263

Enriched by CISA Patch

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.
https://nvd.nist.gov/vuln/detail/CVE-2026-32263

Categories

CWE-470 : Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product's classpath (CWE-427) or add new entries to the product's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product.

References

security-advisories@github.com Patch

https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7 Patch
https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 Vendor Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j Patch Vendor Advisory

AFFECTED (from MITRE)

Vendor	Product	Versions
craftcms	cms	>= 5.6.0, < 5.9.11 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:craftcms:craft_cms::::::::	>= 5.6.0	< 5.9.11

REMEDIATION

Patch

Url
https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7
https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
138	Reflection Injection An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.	Very High

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee