{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31857", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T19:02:25.011Z", "datePublished": "2026-03-11T17:30:29.092Z", "dateUpdated": "2026-03-12T14:02:26.953Z"}, "containers": {"cna": {"title": "CraftCMS has an RCE vulnerability via relational conditionals in the control panel", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc"}, {"name": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.0.0-RC1, < 5.9.9", "status": "affected"}, {"version": ">= 4.0.0-beta.1, < 4.17.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:30:29.092Z"}, "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue."}], "source": {"advisory": "GHSA-fp5j-j7j4-mcxc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:02:18.692736Z", "id": "CVE-2026-31857", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:02:26.953Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T14:02:18.692736Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:02:22.690Z"}}], "cna": {"title": "CraftCMS has an RCE vulnerability via relational conditionals in the control panel", "source": {"advisory": "GHSA-fp5j-j7j4-mcxc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 5.0.0-RC1, < 5.9.9"}, {"status": "affected", "version": ">= 4.0.0-beta.1, < 4.17.4"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80", "name": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T17:30:29.092Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31857", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:02:26.953Z", "dateReserved": "2026-03-09T19:02:25.011Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T17:30:29.092Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "7BFD5346-F567-415B-85F0-56039C3040A5", "versionEndExcluding": "4.17.4", "versionStartIncluding": "4.0.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "2C927EB8-ADF2-4A0A-ADA9-8B6C8230D114", "versionEndExcluding": "5.9.9", "versionStartIncluding": "5.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "90542A12-7090-4C23-AEA5-F6F4964783AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "7DC582DD-53AB-4CF9-961B-50CF5C8DB579", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "9C45A1E5-D598-415D-81C9-19AC302BE323", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "5515C709-A3D3-4EB1-AA9A-435C63DED7F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenido (CMS). Antes de 5.9.9 y 4.17.4, existe una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo en el sistema de condiciones de Craft CMS 5. El m\u00e9todo BaseElementSelectConditionRule::getElementIds() pasa una entrada de cadena controlada por el usuario a trav\u00e9s de renderObjectTemplate() -- una funci\u00f3n de renderizado de Twig sin 'sandbox' con el escape deshabilitado. Cualquier usuario autenticado del Panel de Control (incluyendo roles no administrativos como Autor o Editor) puede lograr RCE completa enviando una regla de condici\u00f3n especialmente dise\u00f1ada a trav\u00e9s de los puntos finales est\u00e1ndar de listado de elementos. Esta vulnerabilidad no requiere privilegios de administrador, ni permisos especiales m\u00e1s all\u00e1 del acceso b\u00e1sico al panel de control, y elude todas las configuraciones de endurecimiento de producci\u00f3n (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Los usuarios deben actualizar a la versi\u00f3n parcheada 5.9.9 o 4.17.4 para mitigar el problema."}], "id": "CVE-2026-31857", "lastModified": "2026-03-17T14:15:46.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T18:16:24.360", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.9.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-beta.1,4.17.4)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-03-17T17:33:46.336202+00:00", "value": {"mitigation_remediation": ["Update Craft CMS to version 5.9.9 or 4.17.4 (or newer) to eliminate the unsandboxed rendering pathway."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all authenticated Control Panel users\u2014including non\u2011admin roles such as Author or Editor\u2014on Craft CMS versions prior to 5.9.9 (CMS\u202f5.x) and 4.17.4 (CMS\u202f4.x). The affected product is listed under the provided CPE identifiers for craftcms:craft_cms across the 4.0.0\u2011to\u20115.0.0 series.", "description_and_impact": "Craft CMS\u2019s conditions system passes user-controlled input to the Twig renderObjectTemplate() function without sandboxing or escaping, a flaw classified as CWE-94. An attacker can craft a condition rule and send it through standard element listing endpoints to execute arbitrary code on the server, achieving full control over the site once the exploit is triggered.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. The EPSS score is <1\u202f%, but the requirement of only normal authentication makes it realistic for sites exposing a CP to many users. The vulnerability is not in CISA\u2019s KEV catalog. Exploitation requires valid CP credentials; no additional privilege escalation or network exploitation is needed. The risk is significant for organizations with exposed control panels and fine\u2011grained user roles. The attack vector is via authenticated CP access rather than remote network exposure."}}}}, "created": "2026-03-12T09:57:36.547078+00:00", "updated": "2026-03-20T15:30:14.491025+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}