SB2026061668 - Multiple vulnerabilities in Craft CMS



SB2026061668 - Multiple vulnerabilities in Craft CMS

Published: June 16, 2026

Security Bulletin ID SB2026061668
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Path traversal (CVE-ID: CVE-2026-32262)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to delete arbitrary files within the same filesystem root.

The vulnerability exists due to path traversal in AssetsController->replaceFile() when processing the targetFilename body parameter. A remote user can inject ../ sequences into the filename to delete arbitrary files within the same filesystem root.

This only affects local filesystems and can impact other folders or volumes that share the same filesystem root.


2) Cross-site scripting (CVE-ID: CVE-2026-33051)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to cross-site scripting in the revision/draft context menu in the element editor when rendering the creator's fullName as raw HTML. A remote user can set a crafted fullName and create an entry with two saves to escalate privileges.

An administrator must be logged in and execute the crafted payload while an elevated session is active.


3) Code Injection (CVE-ID: CVE-2026-32264)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of dynamically managed code resources in ElementIndexesController and FieldsController when handling crafted control panel requests. A remote user can submit crafted data using the same gadget chain as the original advisory to execute arbitrary code.

Exploitation requires control panel administrator permissions and the allowAdminChanges setting to be enabled.


4) Code Injection (CVE-ID: CVE-2026-32263)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in EntryTypesController::actionApplyOverrideSettings() when processing crafted settings parameters. A remote user can inject Yii2 behavior or event-handler configuration keys to execute arbitrary code.

Exploitation requires Craft control panel administrator access and the allowAdminChanges setting to be enabled.


Remediation

Install update from vendor's website.