The vulnerability identified as CVE-2026-32261 affects the Webhooks plugin for Craft CMS, specifically versions from 3.0.0 up to but not including 3.2.0. The plugin enables management of webhooks that trigger GET or POST requests upon certain events. The core issue arises from the plugin rendering user-supplied template content through Twig's renderString() function without applying sandbox restrictions. Twig is a templating engine that, when improperly sandboxed, can allow execution of arbitrary PHP functions embedded in templates. An authenticated user with access to the Craft control panel and permissions to use the Webhooks plugin can exploit this by injecting malicious Twig template code. Notably, this exploitation is possible even if the configuration setting allowAdminChanges is set to false, which normally restricts administrative modifications. The vulnerability falls under CWE-1336, which concerns improper neutralization of special elements in template engines, leading to code injection. The CVSS 4.0 base score is 8.5, reflecting high severity due to network attack vector, low complexity, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are reported in the wild as of the publication date. The vendor addressed the vulnerability in Webhooks plugin version 3.2.0 by presumably adding sandbox protections or otherwise restricting template execution capabilities.

This vulnerability allows an authenticated user with specific permissions to execute arbitrary PHP code on the server hosting Craft CMS. The impact includes potential full system compromise, unauthorized data access or modification, disruption of service, and the ability to pivot to other internal systems. Since the vulnerability requires authenticated access to the control panel and Webhooks plugin, the risk is primarily to organizations that have multiple users with elevated permissions or weak internal access controls. Exploitation could lead to data breaches, defacement, or deployment of malware such as ransomware. Given Craft CMS's use in many content management scenarios, affected organizations could face significant operational and reputational damage. The lack of sandboxing means the attacker can bypass typical template restrictions, increasing the severity of the impact. Organizations that do not promptly patch remain vulnerable to targeted attacks, especially from insiders or compromised credentials.

Organizations should immediately upgrade the Craft CMS Webhooks plugin to version 3.2.0 or later, where the vulnerability is patched. Until upgrading is possible, restrict access to the Craft control panel and Webhooks plugin to only trusted and necessary users, enforcing the principle of least privilege. Implement strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of credential compromise. Monitor logs for unusual template submissions or webhook configurations that could indicate exploitation attempts. Consider disabling the Webhooks plugin if it is not essential to operations. Additionally, review and harden server-side PHP configurations to limit the impact of arbitrary code execution, such as disabling dangerous PHP functions and using application-level sandboxing where feasible. Regularly audit user permissions and conduct security awareness training to prevent insider threats. Finally, maintain up-to-date backups to enable recovery in case of compromise.