CVE-2026-31857

Name of the Vulnerable Software and Affected Versions Craft versions prior to 5.9.9 Craft versions prior to 4.17.4

Description Craft is a content management system (CMS). A Remote Code Execution issue exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate(), a Twig rendering function that lacks sandboxing and has escaping disabled. Any authenticated Control Panel user, including those with non-administrative roles like Author or Editor, can achieve full Remote Code Execution by sending a specially crafted condition rule through standard element listing endpoints. This issue does not require administrator privileges or special permissions beyond basic Control Panel access and bypasses all production hardening settings. The renderObjectTemplate() function is involved in the issue.

Recommendations Craft versions prior to 5.9.9 should be updated to version 5.9.9. Craft versions prior to 4.17.4 should be updated to version 4.17.4.