SB2026021831 - Multiple vulnerabilities in Craft CMS



SB2026021831 - Multiple vulnerabilities in Craft CMS

Published: February 18, 2026 Updated: June 16, 2026

Security Bulletin ID SB2026021831
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 38% Low 63%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Improper privilege management (CVE-ID: CVE-2026-25497)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to escalate privileges.

The vulnerability exists due to improper privilege management in the GraphQL API. A remote user can escalate privileges.


2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-28782)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to bypass authorization and access restricted content.

The vulnerability exists due to improper access control in the Duplicate entry action when handling direct requests with user-controlled Entry IDs. A remote user can send a specially crafted request to bypass authorization and access restricted content.

The issue can be exploited by a user with only "View Entries" permission, and incremental Entry IDs make brute-force enumeration possible.


3) Improperly Controlled Modification of Dynamically-Determined Object Attributes (CVE-ID: CVE-2026-28781)

CWE-ID: CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to spoof entry authorship.

The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the entry creation process when handling crafted POST requests. A remote user can add the authorId or authorIds[] parameter to a request to spoof entry authorship.

Exploitation requires an account with permission to create entries and knowledge of the target user's account ID.


4) Improper access control (CVE-ID: CVE-2026-28696)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the GraphQL `@parseRefs` directive and `craft\services\Elements::parseRefs` when parsing user-supplied internal reference tags in GraphQL content. A remote user can inject a crafted reference tag to disclose sensitive information.

Unauthenticated exploitation is possible if a Public Schema is enabled.


5) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2026-28783)

CWE-ID: CWE-184 - Incomplete List of Disallowed Inputs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code, read arbitrary files, perform server-side request forgery, or conduct server-side template injection.

The vulnerability exists due to incomplete list of disallowed inputs in Twig non-Closure arrow functions when processing crafted template expressions. A remote user can invoke blocklisted-bypass PHP functions to execute arbitrary code, read arbitrary files, perform server-side request forgery, or conduct server-side template injection.

Exploitation requires either `allowAdminChanges` to be enabled on production, a compromised admin account, or access to the System Messages utility.


6) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2026-28697)

CWE-ID: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements used in a template engine in Twig template fields when rendering attacker-controlled template content. A remote user can inject a server-side template injection payload that writes a malicious PHP script to a web-accessible directory to execute arbitrary code.

Exploitation requires access to an authenticated administrator account with allowAdminChanges enabled, or access to the System Messages utility.


7) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the _includes/forms/checkbox.twig template when rendering stored settings names and field option labels. A remote user can inject a crafted name or label value to execute arbitrary script in a victim's browser.

Exploitation requires administrative access, and the issue is exposed when allowAdminChanges is enabled in production. Some cases also require a victim to visit affected control panel pages where the stored value is rendered.


8) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-29069)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to trigger activation emails for arbitrary pending user accounts and potentially gain access to the system.

The vulnerability exists due to improper access control in the actionSendActivationEmail() endpoint when handling user-supplied userId parameters for pending users. A remote attacker can send a specially crafted request with an arbitrary user ID to trigger activation emails for arbitrary pending user accounts and potentially gain access to the system.

If the attacker controls the target user's email address, the activation flow can be completed to access the account. The endpoint responses can also reveal whether a user ID exists and whether the account is pending or active.


Remediation

Install update from vendor's website.