Which versions of PHP are affected by CVE-2026-32261?

A high-severity vulnerability in the Webhooks plugin allows authenticated control panel users to execute arbitrary code on your systems.. A patch is available.

How to fix or mitigate CVE-2026-32261?

Within 24 hours: Identify all systems running the Webhooks plugin and verify current versions. Within 7 days: Apply version 3.2.0 patch to all affected instances and validate successful deployment. Within 30 days: Conduct access review of control panel users with Webhooks permissions and implement principle of least privilege.

PHP CVE-2026-32261

Q: What is the CVSS score of CVE-2026-32261?

CVE-2026-32261 has a CVSS 4.0 base score of 8.5 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-12502 HIGH

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2026-03-16 https://github.com/craftcms/webhooks

GHSA-8wg7-wm29-2rvg

RCE PHP Ssti

8.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 14:52 vuln.today

cvss_changed

EUVD ID Assigned

Mar 16, 2026 - 18:32 euvd

EUVD-2026-12502

Analysis Generated

Mar 16, 2026 - 18:32 vuln.today

Patch released

Mar 16, 2026 - 18:32 nvd

Patch available

CVE Published

Mar 16, 2026 - 18:11 nvd

HIGH 8.5

DescriptionNVD

The Webhooks plugin renders user-supplied template content through Twig’s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions.

This is possible even if allowAdminChanges is set to false.

Affected users should update to version 3.2.0 to mitigate the issue.

AnalysisAI

A security vulnerability in renders user-supplied template content (CVSS 8.5) that allows an authenticated user with access. High severity vulnerability requiring prompt remediation. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate to Craft control panel

Delivery

Access Webhooks plugin interface

Exploit

Inject malicious Twig template code

Execution

Execute arbitrary PHP functions

Impact

Compromise system integrity