CVE-2026-31857
Description
Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.
CVSS Details
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Threat Intelligence
Weaknesses 1
Affected Products 12
| Vendor | Product | Version | Range |
|---|---|---|---|
| craftcms | craft_cms | * | ≥4.0.0.1 – <4.17.4 |
| craftcms | craft_cms | * | ≥5.0.1 – <5.9.9 |
| craftcms | craft_cms | 4.0.0 | any |
| craftcms | craft_cms | 4.0.0 | any |
| craftcms | craft_cms | 4.0.0 | any |
| craftcms | craft_cms | 4.0.0 | any |
| craftcms | craft_cms | 4.0.0 | any |
| craftcms | craft_cms | 4.0.0 | any |
| craftcms | craft_cms | 4.0.0 | any |
| craftcms | craft_cms | 4.0.0 | any |
| craftcms | craft_cms | 5.0.0 | any |
| craftcms | craft_cms | 5.0.0 | any |
References 2
- github.com https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80
- github.com https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc
Remediation
- github.com https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80
- github.com https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc