CVE-2026-32263
Published: 16 March 2026
Summary
CVE-2026-32263 is a high-severity Unsafe Reflection (CWE-470) vulnerability in Craftcms Craft Cms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and remediation of software flaws like the unsafe passing of unsanitized $settings from parse_str to Craft::configure(), as patched in version 5.9.11.
Mandates validation of all information inputs, directly preventing injection of malicious Yii2 behavior or event handlers via 'as' or 'on' prefixed keys in the EntryTypesController.
Establishes and enforces secure configuration settings, such as disabling allowAdminChanges unless strictly required, blocking a key prerequisite for exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Admin-authenticated config injection via unsanitized 'as'/'on' keys directly enables remote exploitation of the public-facing Craft CMS app (T1190) and arbitrary command/script execution through Yii2 behavior/event handler abuse (T1059.004, T1546).
NVD Description
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed…
more
keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.
Deeper analysisAI
CVE-2026-32263 is a vulnerability in Craft CMS, a content management system, affecting versions from 5.6.0 up to but not including 5.9.11. The issue resides in the src/controllers/EntryTypesController.php file, where the $settings array parsed from parse_str is passed directly to Craft::configure() without applying Component::cleanseConfig(). This flaw enables the injection of Yii2 behavior or event handlers through keys prefixed with "as" or "on", mirroring an attack vector from a prior advisory. It is classified under CWE-470 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H).
Exploitation requires an attacker to possess Craft control panel administrator permissions, with the allowAdminChanges setting enabled. A privileged user can trigger the vulnerability over the network with low complexity and no user interaction, potentially achieving high impacts on confidentiality, integrity, and availability through the injected Yii2 handlers.
The vulnerability has been addressed in Craft CMS version 5.9.11. Official advisories and the patching commit are detailed in GitHub security advisories GHSA-7jx7-3846-m7w7 and GHSA-qx2q-q59v-wf3j, along with the specific fix in commit d37389dbffafa565143be40a2ab1e1db22a863f7. Security practitioners should upgrade to 5.9.11 or later and review configurations for allowAdminChanges.
Details
- CWE(s)