Latest Craft CMS vulnerability: CVE-2026-32267 #
A vulnerability found within CraftCMS was published in a recent security advisory.
- A privilege escalation vulnerability exists due to token mishandling.The vulnerability has been designated CVE-2026-32267 and rated high with a CVSS score of 7.7.
The following versions are affected
- CraftCMS versions 4.0.0-RC1 up to 4.17.6 (exclusive)
- CraftCMS versions 5.0.0-RC1 up to 5.9.12 (exclusive)
What is Craft CMS? #
CraftCMS is a flexible content management system (CMS) used to build and manage websites.
What is the impact? #
Successful exploitation of the vulnerability could allow a low-privilege user (or an unauthenticated user who has been sent a shared URL) to escalate their privileges to admin by abusing a vulnerability found in the user management
Are updates available? #
Upgrade affected versions of CraftCMS to the latest patched version.
- CraftCMS 4.x upgrade to version 4.17.6 and later
- CraftCMS 5.x upgrade to version 5.9.12 and later
How do I find potentially vulnerable instances with runZero? #
From the Software Inventory, use the following query to locate systems running potentially vulnerable software:
vendor:=CraftCMS AND product:="Craft CMS"April 2025: CVE-2025-32432 and CVE-2024-58136 #
Two zero-day vulnerabilities impacting Craft CMS are being actively exploited by chaining the vulnerabilities together to compromise the affected systems.
- CVE-2025-32432 is rated critical with a CVSSv3 base score of 10.0.
- CVE-2024-58136 is rated critical with a CVSSv3 base score of 9.0. This vulnerability is found within the Yii framework, which is used by Craft CMS.
What is the impact? #
Successful exploitation of the vulnerability could allow a low-privilege user (or an unauthenticated user who has been sent a shared URL) to escalate their privileges to admin by abusing a vulnerability found in the user management
Are updates available? #
Although the Yii framework update is not included in the latest Craft CMS patch, the primary vulnerability was patched within 3.9.15, 4.14.15, and 5.6.17. Users are strongly encouraged to update their installation as soon as possible. In addition to applying a patch, users might want to rotate their security keys as a safety precaution. Additionally, a best practices write-up is available online with steps on how to harden the security of the installation.
How do I find potentially vulnerable instances with runZero? #
From the Service Inventory, use the following query to locate systems running potentially vulnerable software:
_asset.protocol:http AND protocol:http AND (has:http.head.xPoweredBy AND http.head.xPoweredBy:="Craft CMS")February 2025: CVE-2025-23209 #
In late January, CraftCMS published a security advisory for a code injection vulnerability that can lead to remote code execution. On February 20, 2025 CISA added CVE-2025-23209 to the known exploited vulnerabilities catalog (KEV).
What is the impact? #
Successful exploitation of the vulnerability requires that a remote attacker already has control of the installation's security key. In this case, the attacker can then inject code using an specially crafted backup directory variable provided by the user.
The affected versions include:
- Versions greater than or equal to 5.0.0-RC1 through 5.5.5 (exclusive)
- Versions greater than or equal to 4.0.0-RC1 through 4.13.8 (exclusive)
Are updates available? #
The vulnerability was patched in 5.5.8 and 4.13.8. Users are strongly encouraged to update their installation as soon as possible. In addition to applying a patch, users might want to rotate their security keys as a safety precaution. Additionally, a best practices write-up is available online with steps on how to harden the security of the installation.
How do I find potentially vulnerable instances with runZero? #
From the Service Inventory, use the following query to locate systems running potentially vulnerable software:
_asset.protocol:http AND protocol:http AND (has:http.head.xPoweredBy AND http.head.xPoweredBy:="Craft CMS")
