Cyber Resilience

CVE-2026-32263

High

Published: 16 March 2026

Published
16 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0050 38.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32263 is a high-severity Unsafe Reflection (CWE-470) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32263 is a vulnerability in Craft CMS, a content management system, affecting versions from 5.6.0 up to but not including 5.9.11. The issue resides in the src/controllers/EntryTypesController.php file, where the $settings array parsed from parse_str is passed directly to Craft::configure() without applying Component::cleanseConfig(). This flaw enables the injection of Yii2 behavior or event handlers through keys prefixed with "as" or "on", mirroring an attack vector from a prior advisory. It is classified under CWE-470 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H).

Exploitation requires an attacker to possess Craft control panel administrator permissions, with the allowAdminChanges setting enabled. A privileged user can trigger the vulnerability over the network with low complexity and no user interaction, potentially achieving high impacts on confidentiality, integrity, and availability through the injected Yii2 handlers.

The vulnerability has been addressed in Craft CMS version 5.9.11. Official advisories and the patching commit are detailed in GitHub security advisories GHSA-7jx7-3846-m7w7 and GHSA-qx2q-q59v-wf3j, along with the specific fix in commit d37389dbffafa565143be40a2ab1e1db22a863f7. Security practitioners should upgrade to 5.9.11 or later and review configurations for allowAdminChanges.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via "as" or "on" prefixed…

more

keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1546 Event Triggered Execution Privilege Escalation
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events.
Why these techniques?

Admin-authenticated config injection via unsanitized 'as'/'on' keys directly enables remote exploitation of the public-facing Craft CMS app (T1190) and arbitrary command/script execution through Yii2 behavior/event handler abuse (T1059.004, T1546).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68455Same product: Craftcms Craft Cms
CVE-2026-25498Same product: Craftcms Craft Cms
CVE-2026-33157Same product: Craftcms Craft Cms
CVE-2026-32264Same product: Craftcms Craft Cms
CVE-2026-25495Same product: Craftcms Craft Cms
CVE-2025-23209Same product: Craftcms Craft Cms
CVE-2026-28784Same product: Craftcms Craft Cms
CVE-2026-31857Same product: Craftcms Craft Cms
CVE-2026-32267Same product: Craftcms Craft Cms
CVE-2025-68456Same product: Craftcms Craft Cms

Affected Assets

craftcms
craft cms
5.6.0 — 5.9.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and remediation of software flaws like the unsafe passing of unsanitized $settings from parse_str to Craft::configure(), as patched in version 5.9.11.

prevent

Mandates validation of all information inputs, directly preventing injection of malicious Yii2 behavior or event handlers via 'as' or 'on' prefixed keys in the EntryTypesController.

prevent

Establishes and enforces secure configuration settings, such as disabling allowAdminChanges unless strictly required, blocking a key prerequisite for exploitation.

References