216.73.216.133

CVE-2026-32261

· Published 16/03/2026 19:16 · Modified 17/03/2026 14:20

Labels: CVE-2026-32261 2026-03-16CVE-2026-32261CWE-1336[email protected]

Essential information

Published
16/03/2026 19:16
Modified
17/03/2026 14:20
Author
Creator
CVSS
8.5 HIGH (v3) 8.5 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Webhooks for Craft CMS plugin adds the ability to manage “webhooks” in Craft CMS, which will send GET or POST requests when certain events occur. From version 3.0.0 to before version 3.2.0, the Webhooks plugin renders user-supplied template content through Twig’s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions. This is possible even if allowAdminChanges is set to false. This issue has been patched in version 3.2.0.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
craftcms / webhooks cpe:2.3:a:craftcms:webhooks:*:<3.2.0:*:*:*:*:*:*

References