CVE-2026-32263 is a vulnerability classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code, also known as unsafe reflection) affecting Craft CMS versions from 5.6.0 up to but not including 5.9.11. The root cause lies in the handling of the $settings array within the src/controllers/EntryTypesController.php file, where input parsed via parse_str is passed directly to the Craft::configure() method without being sanitized by Component::cleanseConfig(). This improper input validation allows attackers with administrator privileges and the allowAdminChanges configuration enabled to inject malicious Yii2 behaviors or event handlers by using keys prefixed with "as" or "on". These keys correspond to Yii2’s dynamic behavior and event system, enabling attackers to manipulate the application’s runtime behavior or execute arbitrary code. The vulnerability does not require user interaction and can be exploited remotely over the network, but it does require high privileges (admin access) within the Craft CMS control panel. The vulnerability has a CVSS 4.0 base score of 8.6, reflecting its high impact on confidentiality, integrity, and availability, as well as ease of exploitation given the required privileges. The issue was addressed and patched in Craft CMS version 5.9.11. No public exploits have been reported yet, but the vulnerability’s nature and severity warrant immediate attention from organizations using affected versions.

The impact of CVE-2026-32263 is significant for organizations using affected Craft CMS versions, especially those with multiple administrators or where the allowAdminChanges setting is enabled. An attacker who gains or already has administrator access can exploit this vulnerability to inject malicious behaviors or event handlers, potentially leading to remote code execution, unauthorized data access, or manipulation of CMS functionality. This can compromise the confidentiality, integrity, and availability of the affected web applications and their hosted content. Given Craft CMS’s use in various industries for website and content management, exploitation could lead to website defacement, data breaches, or pivoting to internal networks. Although exploitation requires admin privileges, the vulnerability lowers the barrier for attackers to escalate their control or maintain persistence. Organizations with publicly accessible Craft CMS control panels are at higher risk, especially if administrative credentials are weak or compromised. The lack of known exploits in the wild currently reduces immediate risk, but the high CVSS score and ease of exploitation with admin access make this a critical issue to address promptly.

1. Upgrade Craft CMS to version 5.9.11 or later immediately to apply the official patch that addresses this vulnerability. 2. Restrict administrative access to the Craft CMS control panel by implementing strong authentication mechanisms such as multi-factor authentication (MFA) and IP whitelisting. 3. Disable the allowAdminChanges setting if it is not required, reducing the attack surface for this vulnerability. 4. Regularly audit and monitor administrator accounts and permissions to detect unauthorized access or privilege escalation attempts. 5. Implement web application firewalls (WAF) with rules to detect and block suspicious requests targeting the EntryTypesController.php or attempts to inject Yii2 behaviors. 6. Conduct code reviews and security testing on custom plugins or extensions that may interact with the configuration or behavior system to ensure they do not introduce similar unsafe reflection issues. 7. Maintain up-to-date backups and incident response plans to quickly recover in case of compromise. 8. Educate administrators about the risks of unsafe reflection and the importance of secure configuration management.