CVE-2026-32263

描述

The fix for GHSA-7jx7-3846-m7w7 (commit 395c64f0b80b507be1c862a2ec942eaacb353748) only patched `src/services/Fields.php`, but the same vulnerable pattern exists in `EntryTypesController::actionApplyOverrideSettings()`. In `src/controllers/EntryTypesController.php` lines 381-387: ```php $settingsStr = $this->request->getBodyParam('settings'); parse_str($settingsStr, $postedSettings); $settingsNamespace = $this->request->getRequiredBodyParam('settingsNamespace'); $settings = array_filter(ArrayHelper::getValue($postedSettings, $settingsNamespace, [])); if (!empty($settings)) { Craft::configure($entryType, $settings); ``` The `$settings` array from `parse_str` is passed directly to `Craft::configure()` without `Component::cleanseConfig()`. This allows injecting Yii2 behavior/event handlers via `as ` or `on ` prefixed keys, the same attack vector as the original advisory. You need Craft control panel administrator permissions, and `allowAdminChanges` must be enabled for this to work. An attacker can use the same gadget chain from the original advisory to achieve RCE. Users should update to Craft 5.9.11 to mitigate the issue.

如何修補 CVE-2026-32263

要修補 CVE-2026-32263,請將受影響套件升級到下列已修補版本。

• —升級至 5.9.11 或更新版本

CVE-2026-32263 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 5.6.0, < 5.9.11

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32263
• PATCHgithub.com/craftcms/cms
• WEBgithub.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7
• WEBgithub.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7