Primary

Context

Craft CMS Webhooks Plugin Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability exists in the Webhooks for Craft CMS plugin, specifically in versions 3.0.0 prior to 3.2.0. The vulnerability arises because the plugin processes user-generated template content using Twig's renderString() function without proper sandboxing. This flaw enables authenticated users with access to the Craft control panel and the Webhooks plugin to inject Twig code that executes arbitrary PHP functions, regardless of the allowAdminChanges setting. The issue has been addressed in version 3.2.0.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Craft CMS is running.

Remediation

Users are advised to update the Webhooks for Craft CMS plugin to version 3.2.0.

Added: Mar 16, 2026, 7:20 PM

Updated: Mar 16, 2026, 7:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.9

remediation

0.0

relevance

4.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.9

remediation

0.0

relevance

4.0

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Craft CMS Webhooks Plugin Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating