What is remote code execution (RCE)?

Remote code execution (RCE) is a type of vulnerability that allows an attacker to execute arbitrary code on a target system from a remote location. This can lead to complete system compromise, data theft, or denial of service.

What is behavior injection in Craft CMS?

Behavior injection is a vulnerability that allows attackers to inject malicious code into Craft CMS by exploiting the way the system handles object configurations. By manipulating input parameters, attackers can inject Yii2 behaviors or event handlers that execute arbitrary code.

How do I update Craft CMS to the latest version?

You can update Craft CMS to the latest version using Composer, a dependency management tool for PHP. Run the command `composer update craftcms/cms` in your project directory to update Craft CMS and its dependencies to the latest versions.

What is metadata disclosure?

Metadata disclosure is a type of vulnerability where sensitive information about a system or its assets is unintentionally exposed. This information can include file paths, usernames, or other details that could be used to further compromise the system.

Craft CMS: Multiple RCE and Metadata Disclosure Vulnerabilities

Multiple vulnerabilities have been discovered in Craft CMS, including remote code execution (RCE) flaws and an asset metadata disclosure issue. These vulnerabilities could allow attackers with admin privileges to execute arbitrary code on the server or allow low-privileged users to access private asset metadata. Patches are available in Craft CMS versions 5.8.22, 5.9.11, 4.17.5 and 5.9.14.

These vulnerabilities range in severity, with RCE vulnerabilities scoring 7.5 (High) and the metadata disclosure scoring 2.5 (Low).

What is Craftcms/cms?

Craft CMS is a flexible and user-friendly content management system (CMS) built on PHP. It's designed to provide a customizable platform for building websites, applications, and digital experiences. Craft CMS distinguishes itself with its focus on content modeling, developer-friendly tools, and a robust plugin ecosystem. Craft CMS is used by a wide range of organizations, from small businesses to large enterprises, for building everything from simple websites to complex web applications. It's particularly popular among developers and designers who appreciate its flexibility and control over the front-end presentation. To learn more, search all craftcms/cms CVEs.

CVE-2026-25498: Craft CMS Authenticated Remote Code Execution via Malicious Behavior

CVSS7.5

Affected versionsThis vulnerability affects Craft CMS versions 5.8.9 and earlier, requiring admin-level access and access to the admin panel.

High severity: allows remote code execution with admin access.

With an EPSS score of 0.301, there is a moderate probability of exploitation.

A remote code execution (RCE) vulnerability exists in Craft CMS due to insufficient sanitization of user-supplied configuration data in the `assembleLayoutFromPost()` function. An authenticated administrator can inject malicious Yii2 behavior configurations, leading to arbitrary system command execution.

How to fix CVE-2026-25498 in Craftcms/cms

Patch immediately

1.Update Craft CMS to version 5.8.22 or later.

Update Craft CMS

composer update craftcms/cms

Workaround: There is no workaround available besides patching.

NextGuard automatically flags CVE-2026-25498 if craftcms/cms appears in any of your monitored projects — no manual lookup required.

CVE-2026-32263: Craft CMS Behavior Injection RCE via EntryTypesController

CVSS7.5

Affected versionsThis vulnerability affects Craft CMS versions 5.9.9 and earlier, requiring Craft control panel administrator permissions and `allowAdminChanges` to be enabled.

High severity: allows remote code execution with admin access.

With an EPSS score of 0.031, the probability of exploitation is low.

A behavior injection vulnerability exists in Craft CMS within the `EntryTypesController::actionApplyOverrideSettings()` function. The `$settings` array is passed directly to `Craft::configure()` without proper sanitization, allowing for the injection of malicious Yii2 behavior/event handlers.

How to fix CVE-2026-32263 in Craftcms/cms

Patch immediately

1.Update Craft CMS to version 5.9.11 or later.

Update Craft CMS

composer update craftcms/cms

Workaround: There is no workaround available besides patching.

NextGuard automatically flags CVE-2026-32263 if craftcms/cms appears in any of your monitored projects — no manual lookup required.

CVE-2026-32264: Craft CMS Behavior Injection RCE in ElementIndexesController and FieldsController

CVSS7.5

Affected versionsThis vulnerability affects Craft CMS versions 4.9.7 and earlier, requiring Craft control panel administrator permissions and `allowAdminChanges` to be enabled.

High severity: allows remote code execution with admin access.

With an EPSS score of 0.031, the probability of exploitation is low.

A behavior injection vulnerability exists in Craft CMS within the `ElementIndexesController` and `FieldsController`. Similar to CVE-2026-32263, improper sanitization allows for the injection of malicious Yii2 behavior/event handlers, leading to remote code execution.

How to fix CVE-2026-32264 in Craftcms/cms

Patch immediately

1.Update Craft CMS to version 4.17.5 or later.

Update Craft CMS

composer update craftcms/cms

Workaround: There is no workaround available besides patching.

NextGuard automatically flags CVE-2026-32264 if craftcms/cms appears in any of your monitored projects — no manual lookup required.

GHSA-44px-qjjc-xrhq: Craft CMS Asset Preview Metadata Disclosure

CVSS2.5

Affected versionsThis vulnerability affects Craft CMS installations with authenticated users of mixed privilege levels with private assets, specifically versions 5.9.9 and earlier.

Low severity: allows unauthorized access to asset metadata.

EPSS score is not available for this vulnerability.

An asset metadata disclosure vulnerability exists in Craft CMS where authorized asset "preview file" requests bypass access controls. A low-privileged user can call `assets/preview-file` for an asset they are not authorized to view and still receive preview response data.

How to fix GHSA-44px-qjjc-xrhq in Craftcms/cms

Patch within 7 days

1.Update Craft CMS to version 5.9.14 or later.

Update Craft CMS

composer update craftcms/cms

Workaround: There is no workaround available besides patching.

Stay ahead of php vulnerabilities

Proactively defend your applications by identifying and remediating vulnerabilities before they can be exploited. Monitor your php dependencies for known and emerging threats.

Compare Plans

Frequently asked questions

These vulnerabilities highlight the importance of keeping Craft CMS up to date and following security best practices. Regularly patching your systems and monitoring for suspicious activity can help protect against potential attacks. See all php vulnerabilities.