What is the CVSS score of CVE-2026-31857?

CVE-2026-31857 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Craft Cms are affected by CVE-2026-31857?

Organizations using Craft face significant risk from CVE-2026-31857, a code injection vulnerability rated CVSS 8.8.. A patch is available.

How to fix or mitigate CVE-2026-31857?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Craft Cms CVE-2026-31857

HIGH

Code Injection (CWE-94)

2026-03-11 security-advisories@github.com

GHSA-fp5j-j7j4-mcxc

RCE Code Injection Craft Cms

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 11, 2026 - 18:16 nvd

HIGH 8.8

DescriptionNVD

Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.

AnalysisAI

Remote code execution in Craft CMS 5 allows authenticated Control Panel users with basic access (including non-admin roles like Author or Editor) to execute arbitrary code by injecting malicious Twig templates through condition rule parameters. The vulnerability exploits an unsandboxed template rendering function that bypasses all security hardening settings, affecting versions prior to 5.9.9 and 4.17.4. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as non-admin Control Panel user

Delivery

Craft malicious condition rule with Twig template injection

Exploit

Send via element listing endpoint

Execution

renderObjectTemplate() executes unsandboxed Twig code

Impact

Achieve remote code execution

Access

Authenticate as non-admin Control Panel user

Delivery

Craft malicious condition rule with Twig template injection

Exploit

Send via element listing endpoint

Execution

renderObjectTemplate() executes unsandboxed Twig code

Impact

Achieve remote code execution

Vulnerability AssessmentAI

Exploitation	Authenticated Control Panel user account (Author, Editor, or equivalent non-admin role) with access to element listing endpoints in Craft CMS versions prior to 5.9.9 or 4.17.4. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Exploitation requires authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote attacker (requires authentication) could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-31857 vulnerability details – vuln.today

Back

Craft Cms CVE-2026-31857

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code