CVE-2026-32263

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.6.0 through 5.9.10

Description Craft CMS is a content management system (CMS). A flaw exists in the way settings are processed, specifically within the EntryTypesController.php file. The $settings array, derived from parse str, is directly passed to Craft::configure() without proper sanitization using Component::cleanseConfig(). This allows for the injection of Yii2 behavior and event handlers through keys prefixed with 'as' or 'on', mirroring a previously identified attack vector. Successful exploitation requires administrator permissions within the Craft control panel and the allowAdminChanges setting to be enabled. An attacker can leverage this to achieve Remote Code Execution (RCE) using the same gadget chain as the original advisory.

Recommendations Versions 5.6.0 through 5.9.10 should be updated to version 5.9.11.