CVE-2026-32263 is a vulnerability classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code, also known as Unsafe Reflection) affecting Craft CMS versions from 5.6.0 up to but not including 5.9.11. The flaw exists in the EntryTypesController.php file where the $settings array, obtained via parse_str, is passed directly to the Craft::configure() method without first being sanitized by Component::cleanseConfig(). This improper handling allows an attacker with administrator permissions and the allowAdminChanges configuration enabled to inject malicious Yii2 behavior or event handlers using specially crafted keys prefixed with "as" or "on". These keys can manipulate the CMS's internal event system, potentially enabling arbitrary code execution or unauthorized actions within the CMS environment. The vulnerability does not require user interaction and can be exploited remotely over the network, given the attacker has the necessary admin privileges. The CVSS 4.0 base score is 8.6, reflecting high severity due to the potential for full compromise of the CMS's confidentiality, integrity, and availability. The vendor has addressed this issue in Craft CMS version 5.9.11 by ensuring proper cleansing of configuration inputs before applying them. No public exploits have been reported yet, but the vulnerability poses a significant risk to affected installations.

The impact of CVE-2026-32263 is substantial for organizations using Craft CMS versions between 5.6.0 and before 5.9.11. Successful exploitation allows an attacker with administrator privileges to inject malicious behaviors or event handlers, potentially leading to arbitrary code execution, unauthorized configuration changes, data manipulation, or service disruption. This compromises the confidentiality, integrity, and availability of the CMS and any data it manages. Since Craft CMS is often used to manage website content, exploitation could result in defacement, data leakage, or pivoting to other internal systems. The requirement for admin privileges limits the attack surface but does not eliminate risk, especially in environments where admin credentials may be compromised or where multiple administrators exist. The vulnerability could also be leveraged in insider threat scenarios or through social engineering to gain admin access. Organizations relying on Craft CMS for critical web infrastructure or customer-facing portals are at heightened risk of reputational damage and operational disruption if exploited.

To mitigate CVE-2026-32263, organizations should immediately upgrade Craft CMS to version 5.9.11 or later, where the vulnerability is patched. Additionally, review and restrict administrator access to only trusted personnel and enforce strong authentication mechanisms such as multifactor authentication to reduce the risk of credential compromise. Disable the allowAdminChanges setting if it is not necessary for operational needs, as this setting is required for exploitation. Conduct regular audits of administrative accounts and monitor for unusual configuration changes or behavior injections in the CMS logs. Implement network-level protections such as IP whitelisting or VPN access for administrative interfaces to limit exposure. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the "as" or "on" prefixed keys in requests. Finally, maintain an incident response plan that includes steps for containment and recovery in case of compromise related to this vulnerability.