Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Craft CMS control panel allows unauthorized code execution
GHSA-fp5j-j7j4-mcxc
CVE-2026-31857
Summary
A security issue in the Craft CMS control panel allows any logged-in user to execute malicious code on the server. This could lead to unauthorized access and data compromise. To protect your site, update to the latest version of Craft CMS, which includes a fix for this issue.
What to do
- Update craftcms cms to version 5.9.9.
- Update craftcms cms to version 4.17.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| craftcms | cms | > 5.0.0-RC1 , <= 5.9.8 | 5.9.9 |
| craftcms | cms | > 4.0.0-beta.1 , <= 4.17.3 | 4.17.4 |
Original title
CraftCMS has an RCE vulnerability via relational conditionals in the control panel
Original description
A Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system.
The `BaseElementSelectConditionRule::getElementIds()` method passes user-controlled string input
through `renderObjectTemplate()` -- an unsandboxed Twig rendering function with escaping disabled.
Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full
RCE by sending a crafted condition rule via standard element listing endpoints.
This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and
bypasses all production hardening settings (allowAdminChanges: false, devMode: false,
enableTwigSandbox: true).
Users should update to the patched 5.99 release to mitigate the issue.
The `BaseElementSelectConditionRule::getElementIds()` method passes user-controlled string input
through `renderObjectTemplate()` -- an unsandboxed Twig rendering function with escaping disabled.
Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full
RCE by sending a crafted condition rule via standard element listing endpoints.
This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and
bypasses all production hardening settings (allowAdminChanges: false, devMode: false,
enableTwigSandbox: true).
Users should update to the patched 5.99 release to mitigate the issue.
ghsa CVSS4.0
8.1
Vulnerability type
CWE-94
Code Injection
Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 11 Mar 2026