Code Injection in Craft CMS - CVE-2026-32264
Published: June 16, 2026
Vulnerability identifier: #VU134665
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32264
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pixel & Tonic, Inc.
Affected software:
Craft CMS
Craft CMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper control of dynamically managed code resources in ElementIndexesController and FieldsController when handling crafted control panel requests. A remote user can submit crafted data using the same gadget chain as the original advisory to execute arbitrary code.
Exploitation requires control panel administrator permissions and the allowAdminChanges setting to be enabled.
How to mitigate CVE-2026-32264
Install security update from vendor's website.