SB2026061668 - Multiple vulnerabilities in Craft CMS
Published: June 16, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Path traversal (CVE-ID: CVE-2026-32262)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete arbitrary files within the same filesystem root.
The vulnerability exists due to path traversal in AssetsController->replaceFile() when processing the targetFilename body parameter. A remote user can inject ../ sequences into the filename to delete arbitrary files within the same filesystem root.
This only affects local filesystems and can impact other folders or volumes that share the same filesystem root.
2) Cross-site scripting (CVE-ID: CVE-2026-33051)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to cross-site scripting in the revision/draft context menu in the element editor when rendering the creator's fullName as raw HTML. A remote user can set a crafted fullName and create an entry with two saves to escalate privileges.
An administrator must be logged in and execute the crafted payload while an elevated session is active.
3) Code Injection (CVE-ID: CVE-2026-32264)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper control of dynamically managed code resources in ElementIndexesController and FieldsController when handling crafted control panel requests. A remote user can submit crafted data using the same gadget chain as the original advisory to execute arbitrary code.
Exploitation requires control panel administrator permissions and the allowAdminChanges setting to be enabled.
4) Code Injection (CVE-ID: CVE-2026-32263)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper control of code generation in EntryTypesController::actionApplyOverrideSettings() when processing crafted settings parameters. A remote user can inject Yii2 behavior or event-handler configuration keys to execute arbitrary code.
Exploitation requires Craft control panel administrator access and the allowAdminChanges setting to be enabled.
Remediation
Install update from vendor's website.
References
- https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2
- https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11
- https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq
- https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1
- https://github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748
- https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620
- https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j
- https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7