GHSA-fp5j-j7j4-mcxc

Source

https://github.com/advisories/GHSA-fp5j-j7j4-mcxc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fp5j-j7j4-mcxc/GHSA-fp5j-j7j4-mcxc.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-fp5j-j7j4-mcxc

Aliases

CVE-2026-31857

Published

2026-03-11T14:56:45Z

Modified

2026-03-11T21:05:30.729585Z

Severity

8.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

CraftCMS has an RCE vulnerability via relational conditionals in the control panel

Details

A Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system.

The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled.

Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints.

This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true).

Users should update to the patched 5.99 release to mitigate the issue.

Database specific

{
    "cwe_ids": [
        "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T14:56:45Z",
    "nvd_published_at": "2026-03-11T18:16:24Z",
    "severity": "HIGH"
}

References

Affected packages

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0-RC1

Fixed

5.9.9

Affected versions

5.*

5.0.0-RC1

5.0.0

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.1.0

5.1.1

5.1.2

5.1.3

5.1.4

5.1.5

5.1.6

5.1.7

5.1.8

5.1.9

5.1.10

5.2.0-beta.1

5.2.0-beta.2

5.2.0-beta.3

5.2.0-beta.4

5.2.0-beta.5

5.2.0-beta.6

5.2.0

5.2.1

5.2.2

5.2.3

5.2.4

5.2.4.1

5.2.5

5.2.6

5.2.7

5.2.8

5.2.9

5.2.10

5.3.0-beta.1

5.3.0-beta.2

5.3.0

5.3.0.1

5.3.0.2

5.3.0.3

5.3.1

5.3.2

5.3.3

5.3.4

5.3.5

5.3.6

5.4.0

5.4.0.1

5.4.1

5.4.2

5.4.3

5.4.4

5.4.5

5.4.5.1

5.4.6

5.4.7

5.4.7.1

5.4.8

5.4.9

5.4.10

5.4.10.1

5.5.0

5.5.0.1

5.5.1

5.5.1.1

5.5.2

5.5.3

5.5.4

5.5.5

5.5.6

5.5.6.1

5.5.7

5.5.8

5.5.9

5.5.10

5.6.0

5.6.0.1

5.6.0.2

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.5.1

5.6.6

5.6.7

5.6.8

5.6.9

5.6.9.1

5.6.10

5.6.10.1

5.6.10.2

5.6.11

5.6.12

5.6.13

5.6.14

5.6.15

5.6.16

5.6.17

5.7.0-beta.1

5.7.0-beta.2

5.7.0

5.7.1

5.7.1.1

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.8.1

5.7.8.2

5.7.9

5.7.10

5.7.11

5.8.0

5.8.1

5.8.2

5.8.3

5.8.4

5.8.5

5.8.6

5.8.7

5.8.8

5.8.9

5.8.10

5.8.11

5.8.12

5.8.13

5.8.13.1

5.8.13.2

5.8.14

5.8.15

5.8.16

5.8.17

5.8.18

5.8.19

5.8.20

5.8.21

5.8.22

5.8.23

5.9.0-beta.1

5.9.0-beta.2

5.9.0

5.9.1

5.9.2

5.9.3

5.9.4

5.9.5

5.9.6

5.9.7

5.9.8

Database specific

last_known_affected_version_range

"<= 5.9.8"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fp5j-j7j4-mcxc/GHSA-fp5j-j7j4-mcxc.json"

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0-beta.1

Fixed

4.17.4

Affected versions

4.*

4.0.0-beta.1

4.0.0-beta.2

4.0.0-beta.3

4.0.0-beta.4

4.0.0-RC1

4.0.0-RC2

4.0.0-RC3

4.0.0

4.0.0.1

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.5.1

4.0.5.2

4.0.6

4.1.0

4.1.0.1

4.1.0.2

4.1.1

4.1.2

4.1.3

4.1.4

4.1.4.1

4.2.0

4.2.0.1

4.2.0.2

4.2.1

4.2.1.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.5.2

4.2.6

4.2.7

4.2.8

4.3.0

4.3.1

4.3.2

4.3.2.1

4.3.3

4.3.4

4.3.5

4.3.6

4.3.6.1

4.3.7

4.3.7.1

4.3.8

4.3.8.1

4.3.8.2

4.3.9

4.3.10

4.3.11

4.4.0-beta.1

4.4.0-beta.2

4.4.0-beta.3

4.4.0-beta.4

4.4.0-beta.5

4.4.0-beta.6

4.4.0-beta.7

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.6.1

4.4.7

4.4.7.1

4.4.8

4.4.9

4.4.10

4.4.10.1

4.4.11

4.4.12

4.4.13

4.4.14

4.4.15

4.4.16

4.4.16.1

4.4.17

4.5.0-beta.1

4.5.0-beta.2

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.6.1

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.11.1

4.5.12

4.5.13

4.5.14

4.5.15

4.6.0-RC1

4.6.0

4.6.1

4.7.0

4.7.1

4.7.2

4.7.2.1

4.7.3

4.7.4

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.8.6

4.8.7

4.8.8

4.8.9

4.8.10

4.8.11

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.10.0-beta.1

4.10.0-beta.2

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.10.8

4.11.0

4.11.0.1

4.11.0.2

4.11.1

4.11.2

4.11.3

4.11.4

4.11.5

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.4.1

4.12.5

4.12.6

4.12.6.1

4.12.7

4.12.8

4.12.9

4.13.0

4.13.1

4.13.1.1

4.13.2

4.13.3

4.13.4

4.13.5

4.13.6

4.13.7

4.13.8

4.13.9

4.13.10

4.14.0

4.14.0.1

4.14.0.2

4.14.1

4.14.2

4.14.3

4.14.4

4.14.5

4.14.6

4.14.7

4.14.8

4.14.8.1

4.14.9

4.14.10

4.14.11

4.14.11.1

4.14.12

4.14.13

4.14.14

4.14.15

4.15.0-beta.1

4.15.0-beta.2

4.15.0

4.15.0.1

4.15.0.2

4.15.1

4.15.2

4.15.3

4.15.4

4.15.5

4.15.6

4.15.6.1

4.15.6.2

4.15.7

4.16.0

4.16.1

4.16.2

4.16.3

4.16.4

4.16.5

4.16.6

4.16.6.1

4.16.7

4.16.8

4.16.9

4.16.9.1

4.16.10

4.16.11

4.16.12

4.16.13

4.16.14

4.16.15

4.16.16

4.16.17

4.16.18

4.16.19

4.17.0-beta.1

4.17.0-beta.2

4.17.0

4.17.1

4.17.2

4.17.3

Database specific

last_known_affected_version_range

"<= 4.17.3"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-fp5j-j7j4-mcxc/GHSA-fp5j-j7j4-mcxc.json"