{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32261", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T15:05:48.397Z", "datePublished": "2026-03-16T18:50:18.158Z", "dateUpdated": "2026-03-16T19:27:05.370Z"}, "containers": {"cna": {"title": "RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-1336", "lang": "en", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/webhooks/security/advisories/GHSA-8wg7-wm29-2rvg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/webhooks/security/advisories/GHSA-8wg7-wm29-2rvg"}, {"name": "https://github.com/craftcms/webhooks/commit/88344991a68b07145567c46dfd0ae3328c521f62", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/webhooks/commit/88344991a68b07145567c46dfd0ae3328c521f62"}], "affected": [{"vendor": "craftcms", "product": "webhooks", "versions": [{"version": ">= 3.0.0, < 3.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-16T18:50:18.158Z"}, "descriptions": [{"lang": "en", "value": "Webhooks for Craft CMS plugin adds the ability to manage \u201cwebhooks\u201d in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig\u2019s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions. This is possible even if allowAdminChanges is set to false. This issue has been patched in version 3.2.0."}], "source": {"advisory": "GHSA-8wg7-wm29-2rvg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T19:26:49.954134Z", "id": "CVE-2026-32261", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:27:05.370Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32261", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T19:26:49.954134Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:26:53.273Z"}}], "cna": {"title": "RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin", "source": {"advisory": "GHSA-8wg7-wm29-2rvg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "webhooks", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.2.0"}]}], "references": [{"url": "https://github.com/craftcms/webhooks/security/advisories/GHSA-8wg7-wm29-2rvg", "name": "https://github.com/craftcms/webhooks/security/advisories/GHSA-8wg7-wm29-2rvg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/webhooks/commit/88344991a68b07145567c46dfd0ae3328c521f62", "name": "https://github.com/craftcms/webhooks/commit/88344991a68b07145567c46dfd0ae3328c521f62", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Webhooks for Craft CMS plugin adds the ability to manage \u201cwebhooks\u201d in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig\u2019s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions. This is possible even if allowAdminChanges is set to false. This issue has been patched in version 3.2.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1336", "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-16T18:50:18.158Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32261", "state": "PUBLISHED", "dateUpdated": "2026-03-16T19:27:05.370Z", "dateReserved": "2026-03-11T15:05:48.397Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-16T18:50:18.158Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Webhooks for Craft CMS plugin adds the ability to manage \u201cwebhooks\u201d in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig\u2019s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions. This is possible even if allowAdminChanges is set to false. This issue has been patched in version 3.2.0."}, {"lang": "es", "value": "El plugin Webhooks para Craft CMS a\u00f1ade la capacidad de gestionar 'webhooks' en Craft CMS, que enviar\u00e1 solicitudes GET o POST cuando ocurran ciertos eventos. Desde la versi\u00f3n 3.0.0 hasta antes de la versi\u00f3n 3.2.0, el plugin Webhooks renderiza contenido de plantilla proporcionado por el usuario a trav\u00e9s de la funci\u00f3n renderString() de Twig sin protecci\u00f3n de sandbox. Esto permite a un usuario autenticado con acceso al panel de control de Craft y permisos para acceder al plugin Webhooks inyectar c\u00f3digo de plantilla Twig que llama a funciones PHP arbitrarias. Esto es posible incluso si allowAdminChanges est\u00e1 configurado como false. Este problema ha sido parcheado en la versi\u00f3n 3.2.0."}], "id": "CVE-2026-32261", "lastModified": "2026-04-16T14:47:16.733", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-16T19:16:17.577", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/craftcms/webhooks/commit/88344991a68b07145567c46dfd0ae3328c521f62"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/webhooks/security/advisories/GHSA-8wg7-wm29-2rvg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1336"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "webhooks", "source": "cna", "vendor": "craftcms"}, "product": "webhooks", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-03-16T22:54:38.816007+00:00", "value": {"mitigation_remediation": ["Update the Webhooks plugin to version 3.2.0 or newer, where the vulnerability is fixed.", "If an upgrade cannot be applied immediately, disable the Webhooks plugin or set it to read\u2011only mode to prevent template rendering.", "Restrict control\u2011panel access so that only trusted, least\u2011privilege users have permissions to manage the Webhooks plugin.", "Audit other Craft CMS plugins that use Twig\u2019s renderString() without sandbox protection and apply available patches or restrictions."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of the Webhooks plugin from version 3.0.0 up to, but not including, 3.2.0 are affected. Users with control\u2011panel access and the appropriate permissions to manage the plugin are required to exploit the flaw; the issue persists even when the allowAdminChanges setting is disabled.", "description_and_impact": "The Webhooks plugin for Craft CMS, versions 3.0.0 through 3.1.x, renders user\u2011supplied template content via Twig\u2019s renderString() without any sandbox protection. This implementation flaw lets an authenticated user who can access the plugin through the Craft control panel inject arbitrary Twig code that invokes any PHP function. Consequently, an attacker can execute arbitrary server\u2011side code, compromising confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS score of 8.5 signals a high\u2011severity vulnerability. EPSS data is unavailable, and the issue is not listed in CISA\u2019s KEV catalog. Exploitation requires authenticated access with plugin permissions, but does not depend on remote network access if the attacker can reach the control panel. Given the severity and lack of mitigation in older versions, the risk to affected installations is significant."}}}}, "created": "2026-03-17T09:52:20.075932+00:00", "updated": "2026-03-24T10:50:00.390635+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$webhooks"]}