प्लेटफ़ॉर्म
php
घटक
craftcms/cms
में ठीक किया गया
5.0.1
4.0.1
5.9.9
CVE-2026-31857 describes a Remote Code Execution (RCE) vulnerability within the Craft CMS 5 conditions system. This vulnerability allows authenticated Control Panel users, even those with non-admin roles like Authors or Editors, to achieve full RCE. The vulnerability impacts Craft CMS versions 5.9.8 and earlier, and a fix is available in version 5.9.9.
The impact of CVE-2026-31857 is significant due to the potential for Remote Code Execution. An attacker, with only basic Control Panel access, can execute arbitrary code on the server hosting the Craft CMS instance. This could lead to complete system compromise, including data exfiltration, modification, or deletion. The lack of administrative privileges required for exploitation expands the attack surface considerably, as a wider range of users could potentially trigger the vulnerability. This is particularly concerning given the popularity of Craft CMS for content-heavy websites and applications, which often store sensitive user data.
CVE-2026-31857 was publicly disclosed on March 11, 2026. The vulnerability leverages an unsandboxed Twig rendering function, similar to vulnerabilities seen in other templating engines. Currently, there are no known active campaigns exploiting this specific CVE, but the availability of a public proof-of-concept increases the likelihood of future exploitation. The EPSS score is pending evaluation, but the RCE nature and ease of exploitation suggest a potential medium to high probability of exploitation.
Organizations and individuals using Craft CMS 5.9.8 or earlier, particularly those with non-admin users (Authors, Editors) having Control Panel access, are at significant risk. Shared hosting environments running Craft CMS are also vulnerable, as the attacker could potentially exploit the vulnerability through a compromised user account.
• php: Examine Craft CMS logs for requests to element listing endpoints containing unusual or excessively long condition rule parameters.
grep 'condition_rule' /path/to/craftcms/logs/web.log• php: Check for modified or newly created files in the Craft CMS template directory that could contain malicious code.
find /path/to/craftcms/templates -type f -mtime -1• generic web: Monitor web server access logs for requests originating from unusual IP addresses or user agents targeting Craft CMS element listing endpoints. • generic web: Inspect response headers for unexpected content or redirects that might indicate code execution.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.10% (28% शतमक)
CISA SSVC
The primary mitigation for CVE-2026-31857 is to upgrade Craft CMS to version 5.9.9 or later. If an immediate upgrade is not feasible, consider implementing strict input validation on condition rule parameters to prevent malicious code injection. While not a complete solution, a Web Application Firewall (WAF) configured to block requests containing suspicious condition rule payloads could provide a temporary layer of defense. Monitor Craft CMS logs for unusual activity related to element listing endpoints and condition rule processing. After upgrading, confirm the vulnerability is resolved by attempting to create a condition rule with a known malicious payload – it should be rejected.
Actualice Craft CMS a la versión 5.9.9 o 4.17.4, según corresponda, para mitigar la vulnerabilidad de ejecución remota de código. Esta actualización corrige la forma en que se procesan las reglas de condición en el panel de control, evitando la ejecución de código no deseado. Se recomienda realizar la actualización lo antes posible.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-31857 is a Remote Code Execution vulnerability affecting Craft CMS versions 5.9.8 and earlier. It allows authenticated Control Panel users to execute arbitrary code.
You are affected if you are running Craft CMS version 5.9.8 or earlier. Upgrade to 5.9.9 or later to mitigate the vulnerability.
Upgrade Craft CMS to version 5.9.9 or later. As a temporary workaround, implement strict input validation on condition rule parameters and consider WAF rules.
While there are currently no confirmed active campaigns, the availability of a public proof-of-concept increases the risk of future exploitation.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/advisories](https://craftcms.com/security/advisories)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।