PT-2026-25802 · Craft Cms+1 · Craft Cms+1
Neosprings
·
Published
2026-03-16
·
Updated
2026-03-17
·
CVE-2026-32261
CVSS v4.0
8.5
High
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Webhooks for Craft CMS plugin versions 3.0.0 through 3.1.9
Description
The Webhooks plugin for Craft CMS allows management of webhooks, which send GET or POST requests upon specific events. Versions 3.0.0 through 3.1.9 render user-supplied template content using Twig’s
renderString() function without sandbox protection. This enables an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code capable of calling arbitrary PHP functions. This is possible even if allowAdminChanges is set to false. The issue involves Server-Side Template Injection (SSTI).Recommendations
Update to version 3.2.0 or later to resolve the issue.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craft Cms
Webhooks For Craft Cms