CVE
CVE-2026-32261
RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin
The Webhooks plugin renders user-supplied template content through Twig’s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions.
This is possible even if allowAdminChanges is set to false.
Affected users should update to version 3.2.0 to mitigate the issue.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.5
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-
Related Resources
No items found.
References
https://github.com/craftcms/webhooks/security/advisories/GHSA-8wg7-wm29-2rvg, https://nvd.nist.gov/vuln/detail/CVE-2026-32261, https://github.com/craftcms/webhooks/commit/88344991a68b07145567c46dfd0ae3328c521f62, https://github.com/craftcms/webhooks
Basic Information
Ecosystem
