Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Craft CMS Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) Vulnerability - CVE-2026-32263 - Vulnerability Database
Craft CMS

Craft CMS Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) Vulnerability - CVE-2026-32263

High
Reference: CVE-2026-32263
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-32263
Title: Craft CMS Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) Vulnerability
Overview:

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.11 in src/controllers/EntryTypesController.php the settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via quotasquot or quotonquot prefixed keys the same attack vector as the original advisory. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in version 5.9.11.