{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-26T21:17:08.310","vulnerabilities":[{"cve":{"id":"CVE-2026-32263","sourceIdentifier":"security-advisories@github.com","published":"2026-03-16T20:16:19.170","lastModified":"2026-03-17T17:55:32.583","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11, in src/controllers/EntryTypesController.php, the $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via \"as\" or \"on\" prefixed keys, the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11."},{"lang":"es","value":"Craft CMS es un sistema de gestión de contenido (CMS). Desde la versión 5.6.0 hasta antes de la versión 5.9.11, en src/controllers/EntryTypesController.PHP, el array $settings de parse_str se pasa directamente a Craft::configure() sin Component::cleanseConfig(). Esto permite inyectar manejadores de comportamiento/eventos de Yii2 a través de claves prefijadas con 'as' o 'on', el mismo vector de ataque que el aviso original. Los permisos de administrador del panel de control de Craft y allowAdminChanges deben estar habilitados para que esto funcione. Este problema ha sido parcheado en la versión 5.9.11."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-470"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*","versionStartIncluding":"5.6.0","versionEndExcluding":"5.9.11","matchCriteriaId":"E9E296E2-3127-4E71-9341-DFAD0ABC91D0"}]}]}],"references":[{"url":"https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}