CVE-2026-32264 — Craft CMS vulnerable to behavior injection RCE ElementIndexesController and Fiel

描述

The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 (commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748) only patched `src/services/Fields.php`, but the same vulnerable pattern exists in `ElementIndexesController` and `FieldsController`. You need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work. An attacker can use the same gadget chain from the original advisory to achieve RCE. Users should update to Craft 4.17.5 and 5.9.11 to mitigate the issue.

如何修補 CVE-2026-32264

要修補 CVE-2026-32264,請將受影響套件升級到下列已修補版本。

—升級至 4.17.5 或更新版本

CVE-2026-32264 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

>= 4.0.0-RC1, < 4.17.5

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

參考連結(6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32264
PATCHgithub.com/craftcms/cms
WEBgithub.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70
WEBgithub.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620