CVE-2026-31857
EUVD-2026-1125711.03.2026, 18:16
Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| craftcms | craft_cms | 4.0.0.1 ≤ 𝑥 < 4.17.4 |
| craftcms | craft_cms | 5.0.1 ≤ 𝑥 < 5.9.9 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0:beta1 |
| craftcms | craft_cms | 4.0.0:beta2 |
| craftcms | craft_cms | 4.0.0:beta3 |
| craftcms | craft_cms | 4.0.0:beta4 |
| craftcms | craft_cms | 4.0.0:rc1 |
| craftcms | craft_cms | 4.0.0:rc2 |
| craftcms | craft_cms | 4.0.0:rc3 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | 5.0.0:rc1 |
𝑥
= Vulnerable software versions