Is PHP affected by EUVD-2026-12506?

A critical vulnerability in Craft CMS allows authenticated administrators to execute arbitrary code on affected systems. Organizations running Craft 4.x and 5.x versions prior to 4.17.5 and 5.9.11 are at risk if they have enabled admin changes and granted control panel access to untrusted users.

EUVD-2026-12506

| CVE-2026-32264 HIGH

2026-03-16 https://github.com/craftcms/cms

GHSA-4484-8v2f-5748

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 18:32 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 18:32 euvd

EUVD-2026-12506

Patch Released

Mar 16, 2026 - 18:32 nvd

Patch available

CVE Published

Mar 16, 2026 - 18:13 nvd

HIGH 7.2

Description

The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 (commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748) only patched `src/services/Fields.php`, but the same vulnerable pattern exists in `ElementIndexesController` and `FieldsController`. You need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work. An attacker can use the same gadget chain from the original advisory to achieve RCE. Users should update to Craft 4.17.5 and 5.9.11 to mitigate the issue.

Analysis

Remote code execution in Craft CMS allows authenticated administrators with control panel access to execute arbitrary code by exploiting an incomplete patch that left the same vulnerable gadget chain pattern in multiple controllers. The vulnerability requires administrative privileges and the allowAdminChanges setting to be enabled, limiting exposure to trusted users with elevated access. …

Remediation

Within 24 hours: Inventory all Craft CMS installations and identify affected versions (pre-4.17.5 and pre-5.9.11). Within 7 days: Apply vendor patches to upgrade to Craft 4.17.5 or 5.9.11 in development/staging environments and validate functionality. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

EUVD-2026-12506 vulnerability details – vuln.today

Back

EUVD-2026-12506

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-12506

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code