Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
craftcms cms affected
Version Status Constraints
>= 4.0.0-RC1, < 4.17.5 affected
>= 5.0.0-RC1, < 5.9.11 affected

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Craftcms Subscribe
Craftcms Subscribe

Project Subscriptions

Vendors Products
Craftcms Subscribe
Craftcms Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4484-8v2f-5748 Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70 cve-icon cve-icon
https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620 cve-icon cve-icon
https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748 cve-icon cve-icon
https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 cve-icon cve-icon
History

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
Title Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
Weaknesses CWE-470
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T19:02:22.720Z

Reserved: 2026-03-11T15:05:48.397Z

Link: CVE-2026-32264

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-16T20:16:19.327

Modified: 2026-03-16T20:16:19.327

Link: CVE-2026-32264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-17T09:52:17Z

Weaknesses