Skip to main content

Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

© 2026 Mondoo, Inc.

Log in Get Assessment

Vulnerability IntelligenceGHSA-8wg7-wm29-2rvg

GHSA-8wg7-wm29-2rvg

HIGH8.5

RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin

Published Mar 16, 2026

Modified 2 months ago

Fix available

Details

The Webhooks plugin renders user-supplied template content through Twig’s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions.

This is possible even if allowAdminChanges is set to false.

Affected users should update to version 3.2.0 to mitigate the issue.

Affected Packages

craftcms/webhooks

Packagist

Fixed in:

3.2.0

References

https://github.com/advisories/GHSA-8wg7-wm29-2rvg

https://github.com/craftcms/webhooks

https://github.com/craftcms/webhooks/commit/88344991a68b07145567c46dfd0ae3328c521f62

https://github.com/craftcms/webhooks/security/advisories/GHSA-8wg7-wm29-2rvg

https://nvd.nist.gov/vuln/detail/CVE-2026-32261

Aliases

CVSS Analysis

CVSS v4.0

8.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Attack Requirements

NoneAT:N

Privileges Required

HighPR:H

User Interaction

NoneUI:N

Vulnerable System

Vuln. Confidentiality

HighVC:H

Vuln. Integrity

HighVI:H

Vuln. Availability

NoneVA:N

Subsequent System

Subseq. Confidentiality

NoneSC:N

Subseq. Integrity

NoneSI:N

Subseq. Availability

NoneSA:N

8.5/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Related

Ecosystems

Timeline

PublishedMar 16, 2026

ModifiedMar 16, 2026

GHSA-8wg7-wm29-2rvg | Mondoo Vulnerability Intelligence