PT-2026-25802 · Craft Cms+1 · Craft Cms+1
Neosprings
·
Publicado
2026-03-16
·
Atualizado
2026-03-17
·
CVE-2026-32261
CVSS v4.0
8.5
Alta
| Vetor | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Webhooks for Craft CMS plugin versions 3.0.0 through 3.1.9
Description
The Webhooks plugin for Craft CMS allows management of webhooks, which send GET or POST requests upon specific events. Versions 3.0.0 through 3.1.9 render user-supplied template content using Twig’s
renderString() function without sandbox protection. This enables an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code capable of calling arbitrary PHP functions. This is possible even if allowAdminChanges is set to false. The issue involves Server-Side Template Injection (SSTI).Recommendations
Update to version 3.2.0 or later to resolve the issue.
Exploit
Correção
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Craft Cms
Webhooks For Craft Cms