7.2 CVE-2026-32264

Enriched by CISA Patch

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
https://nvd.nist.gov/vuln/detail/CVE-2026-32264

Categories

CWE-470 : Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
If the product uses external inputs to determine which class to instantiate or which method to invoke, then an attacker could supply values to select unexpected classes or methods. If this occurs, then the attacker could create control flow paths that were not intended by the developer. These paths could bypass authentication or access control checks, or otherwise cause the product to behave in an unexpected manner. This situation becomes a doomsday scenario if the attacker can upload files into a location that appears on the product's classpath (CWE-427) or add new entries to the product's classpath (CWE-426). Under either of these conditions, the attacker can use reflection to introduce new, malicious behavior into the product.

References

security-advisories@github.com Patch

https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70 Patch
https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620 Patch
https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748 Patch Vendor Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 Vendor Advisory

AFFECTED (from MITRE)

Vendor	Product	Versions
craftcms	cms	>= 4.0.0-RC1, < 4.17.5 [affected] >= 5.0.0-RC1, < 5.9.11 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:craftcms:craft_cms::::::::	>= 4.0.0.1	< 4.17.5
cpe:2.3:a:craftcms:craft_cms::::::::	>= 5.0.1	< 5.9.11
cpe:2.3:a:craftcms:craft_cms:4.0.0:-::::::
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

REMEDIATION

Patch

Url
https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70
https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620
https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
138	Reflection Injection An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.	Very High

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee