Back

Critical RCE Vulnerability in Craft CMS (CVE-2026-31857) Exposed

Severity: High (Score: 74.0)

Sources: Acunetix, nvd.nist.gov, cve.mitre.org

Summary

A Remote Code Execution vulnerability (CVE-2026-31857) has been identified in Craft CMS versions prior to 5.9.9 and 4.17.4. The flaw exists in the BaseElementSelectConditionRule::getElementIds() method, which improperly processes user-controlled input through an unsandboxed Twig rendering function, allowing any authenticated Control Panel user to execute arbitrary code. This vulnerability does not require admin privileges and can be exploited by users with basic access to the control panel. It bypasses all production hardening settings, making it particularly dangerous. Users are urged to update to the patched versions to mitigate this risk. The vulnerability was published on March 11, 2026. The potential impact is significant, as it allows unauthorized code execution across affected systems. Key Points: • CVE-2026-31857 allows RCE for authenticated users in Craft CMS. • No admin privileges are required to exploit this vulnerability. • Users must update to versions 5.9.9 or 4.17.4 to mitigate the risk.

Key Entities

  • Zero-day Exploit (attack_type)
  • CVE-2024-20918 (cve)
  • CVE-2024-37899 (cve)
  • CVE-2026-21720 (cve)
  • CVE-2026-31857 (cve)
  • Craft CMS (platform)
  • Oracle JRE (platform)
  • Twig (platform)
  • WordPress (platform)
  • XWikiplatform (platform)
  • Grafana (company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed