CVE-2026-31857 is a critical remote code execution (RCE) vulnerability affecting Craft CMS, a popular content management system. The flaw exists in the BaseElementSelectConditionRule::getElementIds() method, which processes user input through the renderObjectTemplate() function. This function uses Twig templates but does so without sandboxing and with escaping disabled, allowing user-controlled strings to be interpreted as executable code. The vulnerability is particularly dangerous because it can be exploited by any authenticated user with access to the Control Panel, including low-privilege roles such as Authors or Editors. No administrative privileges or special permissions are required, and the exploit bypasses typical production hardening configurations like allowAdminChanges set to false, devMode disabled, and enableTwigSandbox enabled. The vulnerability affects Craft CMS versions from 4.0.0-beta.1 up to but not including 4.17.4, and from 5.0.0-RC1 up to but not including 5.9.9. The CVSS 4.0 base score is 8.1, reflecting high severity due to network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. Although no active exploits have been reported, the vulnerability's characteristics make it a prime target for attackers seeking to gain full control over vulnerable CMS installations. The recommended mitigation is immediate upgrade to patched versions 5.9.9 or 4.17.4. Additional mitigations include restricting Control Panel access to trusted users, monitoring for unusual activity, and applying web application firewall (WAF) rules to detect exploitation attempts.

The impact of CVE-2026-31857 is severe for organizations using affected versions of Craft CMS. Successful exploitation results in full remote code execution on the web server, allowing attackers to execute arbitrary commands, deploy malware, steal sensitive data, or pivot to internal networks. Because the vulnerability can be exploited by low-privilege authenticated users, insider threats or compromised accounts can lead to complete system compromise. The bypass of common hardening settings increases the risk in production environments that rely on these mitigations. Organizations running Craft CMS in sectors such as media, e-commerce, education, and government may face data breaches, service disruptions, reputational damage, and regulatory penalties. The ease of exploitation and high impact on confidentiality, integrity, and availability make this a critical risk that demands immediate attention.

1. Immediately upgrade Craft CMS to version 5.9.9 or 4.17.4 or later, as these versions contain the patch for this vulnerability. 2. Restrict Control Panel access strictly to trusted users and minimize the number of users with any Control Panel permissions, especially those with roles such as Author or Editor. 3. Implement strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of compromised credentials. 4. Monitor Control Panel access logs and server logs for unusual or suspicious activity indicative of exploitation attempts. 5. Deploy web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting Twig template rendering or unusual requests to element listing endpoints. 6. Regularly audit user roles and permissions to ensure least privilege principles are enforced. 7. Consider network segmentation and isolation of CMS servers to limit lateral movement in case of compromise. 8. Keep all CMS plugins and dependencies up to date to reduce the attack surface. 9. Educate users with Control Panel access about phishing and credential security to prevent account takeover.