Plattform
php
Komponente
craftcms/cms
Behoben in
5.0.1
4.0.1
5.9.9
CVE-2026-31857 describes a Remote Code Execution (RCE) vulnerability within the Craft CMS 5 conditions system. This vulnerability allows authenticated Control Panel users, even those with non-admin roles like Authors or Editors, to achieve full RCE. The vulnerability impacts Craft CMS versions 5.9.8 and earlier, and a fix is available in version 5.9.9.
The impact of CVE-2026-31857 is significant. An attacker can leverage this vulnerability to execute arbitrary code on the server hosting the Craft CMS instance. This could lead to complete system compromise, including data exfiltration, modification, or deletion. The fact that the vulnerability can be exploited by non-admin users significantly broadens the attack surface. Successful exploitation requires only basic Control Panel access, making it accessible to a wider range of potential attackers. The unsandboxed Twig rendering function is the root cause, allowing malicious code injection through user-controlled input.
CVE-2026-31857 was publicly disclosed on 2026-03-11. The vulnerability's ease of exploitation, combined with the broad range of affected users, suggests a medium probability of exploitation (EPSS score likely medium). No public proof-of-concept (POC) has been publicly released as of this writing, but the vulnerability's nature makes it likely that one will emerge. Monitor security advisories and threat intelligence feeds for updates.
Organizations and individuals using Craft CMS 5.9.8 or earlier, particularly those with non-admin users (Authors, Editors) having Control Panel access, are at significant risk. Shared hosting environments running Craft CMS are also vulnerable, as the attacker could potentially exploit the vulnerability through a compromised user account.
• php: Examine Craft CMS logs for requests to element listing endpoints containing unusual or excessively long condition rule parameters.
grep 'condition_rule' /path/to/craftcms/logs/web.log• php: Check for modified or newly created files in the Craft CMS template directory that could contain malicious code.
find /path/to/craftcms/templates -type f -mtime -1• generic web: Monitor web server access logs for requests originating from unusual IP addresses or user agents targeting Craft CMS element listing endpoints. • generic web: Inspect response headers for unexpected content or redirects that might indicate code execution.
disclosure
Exploit-Status
EPSS
0.10% (28% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-31857 is to upgrade Craft CMS to version 5.9.9 or later, which contains the fix. If immediate upgrading is not possible, consider implementing strict input validation on condition rule parameters to prevent malicious code injection. While a WAF might offer some protection, it's unlikely to be sufficient given the complexity of the vulnerability. Review and restrict Control Panel user permissions to the minimum necessary to reduce the potential blast radius. After upgrading, verify the fix by attempting to create a condition rule with potentially malicious code and confirming it is properly sanitized and does not result in code execution.
Actualice Craft CMS a la versión 5.9.9 o 4.17.4, según corresponda, para mitigar la vulnerabilidad de ejecución remota de código. Esta actualización corrige la forma en que se procesan las reglas de condición en el panel de control, evitando la ejecución de código no deseado. Se recomienda realizar la actualización lo antes posible.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-31857 is a Remote Code Execution vulnerability affecting Craft CMS versions 5.9.8 and earlier. It allows authenticated Control Panel users to execute arbitrary code.
You are affected if you are running Craft CMS version 5.9.8 or earlier. Upgrade to 5.9.9 or later to mitigate the vulnerability.
Upgrade Craft CMS to version 5.9.9 or later. As a temporary workaround, implement strict input validation on condition rule parameters and consider WAF rules.
While there are currently no confirmed active campaigns, the availability of a public proof-of-concept increases the risk of future exploitation.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/advisories](https://craftcms.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.