Is PHP affected by EUVD-2026-12504?

A privilege escalation vulnerability exists in Craft CMS that allows authenticated administrators to inject malicious code through entry type settings, potentially compromising the entire content management system and hosted applications.

EUVD-2026-12504

| CVE-2026-32263 HIGH

2026-03-16 https://github.com/craftcms/cms

GHSA-qx2q-q59v-wf3j

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 18:32 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 18:32 euvd

EUVD-2026-12504

Patch Released

Mar 16, 2026 - 18:32 nvd

Patch available

CVE Published

Mar 16, 2026 - 18:12 nvd

HIGH 7.2

Description

The fix for GHSA-7jx7-3846-m7w7 (commit 395c64f0b80b507be1c862a2ec942eaacb353748) only patched `src/services/Fields.php`, but the same vulnerable pattern exists in `EntryTypesController::actionApplyOverrideSettings()`. In `src/controllers/EntryTypesController.php` lines 381-387: ```php $settingsStr = $this->request->getBodyParam('settings'); parse_str($settingsStr, $postedSettings); $settingsNamespace = $this->request->getRequiredBodyParam('settingsNamespace'); $settings = array_filter(ArrayHelper::getValue($postedSettings, $settingsNamespace, [])); if (!empty($settings)) { Craft::configure($entryType, $settings); ``` The `$settings` array from `parse_str` is passed directly to `Craft::configure()` without `Component::cleanseConfig()`. This allows injecting Yii2 behavior/event handlers via `as ` or `on ` prefixed keys, the same attack vector as the original advisory. You need Craft control panel administrator permissions, and `allowAdminChanges` must be enabled for this to work. An attacker can use the same gadget chain from the original advisory to achieve RCE. Users should update to Craft 5.9.11 to mitigate the issue.

Analysis

Unsafe deserialization of untrusted user input in PHP Craft CMS allows authenticated high-privilege users to inject arbitrary Yii2 behaviors and event handlers, enabling remote code execution through the EntryTypesController. An incomplete prior patch for a similar vulnerability left the same dangerous pattern in place, permitting attackers with administrative access to manipulate application configuration and achieve full system compromise. …

Remediation

Within 24 hours: Identify all Craft CMS instances in your environment and verify current versions against CVE-2026-32263. Within 7 days: Apply the available vendor patch to all affected instances and test thoroughly in staging environments before production deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

EUVD-2026-12504 vulnerability details – vuln.today

Back

EUVD-2026-12504

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-12504

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code