Publish Advisories

GHSA-472v-j2g4-g9h2
GHSA-8wg7-wm29-2rvg
GHSA-qx2q-q59v-wf3j

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-472v-j2g4-g9h2/GHSA-472v-j2g4-g9h2.json

@@ -0,0 +1,86 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-472v-j2g4-g9h2",
+  "modified": "2026-03-16T18:11:49Z",
+  "published": "2026-03-16T18:11:49Z",
+  "aliases": [
+    "CVE-2026-32262"
+  ],
+  "summary": "Craft CMS has a Path Traversal Vulnerability in AssetsController",
+  "details": "The `AssetsController->replaceFile()` method has a `targetFilename` body parameter that is used unsanitized in a `deleteFile()` call before `Assets::prepareAssetName()` is applied on save. This allows an authenticated user with `replaceFiles` permission to delete arbitrary files within the same filesystem root by injecting `../` path traversal sequences into the filename.\n\nThis could allow an authenticated user with `replaceFiles` permission on one volume to delete files in other folders/volumes that share the same filesystem root.\n\nThis only affects local filesystems.\n\nUsers should update to Craft 4.17.5 or 5.9.11 to mitigate the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "craftcms/cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0-RC1"
+            },
+            {
+              "fixed": "4.17.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.17.4"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "craftcms/cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0-RC1"
+            },
+            {
+              "fixed": "5.9.11"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.9.10"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-472v-j2g4-g9h2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/cms/commit/c997efbe4c66c14092714233aeebff15cdbfcf11"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/craftcms/cms"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T18:11:49Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-8wg7-wm29-2rvg/GHSA-8wg7-wm29-2rvg.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8wg7-wm29-2rvg",
+  "modified": "2026-03-16T18:11:23Z",
+  "published": "2026-03-16T18:11:23Z",
+  "aliases": [
+    "CVE-2026-32261"
+  ],
+  "summary": "RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin",
+  "details": "The Webhooks plugin renders user-supplied template content through Twig’s `renderString()` function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions.\n\nThis is possible even if `allowAdminChanges` is set to `false`.\n\nAffected users should update to version 3.2.0 to mitigate the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "craftcms/webhooks"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0"
+            },
+            {
+              "fixed": "3.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/webhooks/security/advisories/GHSA-8wg7-wm29-2rvg"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/webhooks/commit/88344991a68b07145567c46dfd0ae3328c521f62"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/craftcms/webhooks"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1336"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T18:11:23Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-qx2q-q59v-wf3j/GHSA-qx2q-q59v-wf3j.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qx2q-q59v-wf3j",
+  "modified": "2026-03-16T18:12:32Z",
+  "published": "2026-03-16T18:12:32Z",
+  "aliases": [
+    "CVE-2026-32263"
+  ],
+  "summary": "Craft CMS vulnerable to behavior injection RCE via EntryTypesController",
+  "details": "The fix for GHSA-7jx7-3846-m7w7 (commit 395c64f0b80b507be1c862a2ec942eaacb353748) only patched `src/services/Fields.php`, but the same vulnerable pattern exists in `EntryTypesController::actionApplyOverrideSettings()`.\n\nIn `src/controllers/EntryTypesController.php` lines 381-387:\n\n```php\n$settingsStr = $this->request->getBodyParam('settings');\nparse_str($settingsStr, $postedSettings);\n$settingsNamespace = $this->request->getRequiredBodyParam('settingsNamespace');\n$settings = array_filter(ArrayHelper::getValue($postedSettings, $settingsNamespace, []));\n\nif (!empty($settings)) {\n    Craft::configure($entryType, $settings);\n```\n\nThe `$settings` array from `parse_str` is passed directly to `Craft::configure()` without `Component::cleanseConfig()`. This allows injecting Yii2 behavior/event handlers via `as ` or `on ` prefixed keys, the same attack vector as the original advisory.\n\nYou need Craft control panel administrator permissions, and `allowAdminChanges` must be enabled for this to work.\n\nAn attacker can use the same gadget chain from the original advisory to achieve RCE.\n\nUsers should update to Craft 5.9.11 to mitigate the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "craftcms/cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.6.0"
+            },
+            {
+              "fixed": "5.9.11"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 5.9.10"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/craftcms/cms"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-470"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-16T18:12:32Z",
+    "nvd_published_at": null
+  }
+}