Critical RCE Vulnerability in Craft CMS (CVE-2026-31857) Exposed

Critical RCE Vulnerability in Craft CMS (CVE-2026-31857) Exposed

First seen 12 Apr 2026, 15:46 UTC Acunetixnvd.nist.govcve.mitre.org 93% similarity 74.0

Article Content

Browse articles
ThreatCluster

A Remote Code Execution vulnerability (CVE-2026-31857) has been identified in Craft CMS versions prior to 5.9.9 and 4.17.4. The flaw exists in the BaseElementSelectConditionRule::getElementIds() method, which improperly processes user-controlled input through an unsandboxed Twig rendering function, allowing any authenticated Control Panel user to execute arbitrary code. This vulnerability does not require admin privileges and can be exploited by users with basic access to the control panel. It bypasses all production hardening settings, making it particularly dangerous. Users are urged to update to the patched versions to mitigate this risk. The vulnerability was published on March 11, 2026. The potential impact is significant, as it allows unauthorized code execution across affected systems.

Key Points: • CVE-2026-31857 allows RCE for authenticated users in Craft CMS. • No admin privileges are required to exploit this vulnerability. • Users must update to versions 5.9.9 or 4.17.4 to mitigate the risk.

ThreatCluster AI

Timeline

2024-01-16
CVE-2024-20918 published
2024-06-20
CVE-2024-37899 published
2026-01-27
CVE-2026-21720 published
2026-03-11
CVE-2026-31857 published
2026-04-12
Acunetix and NVD report on the vulnerability

Community

Browse all →