CVE-2026-32261: RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin

March 16, 2026

The Webhooks plugin renders user-supplied template content through Twig’s renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions.

This is possible even if allowAdminChanges is set to false.

Affected users should update to version 3.2.0 to mitigate the issue.

References

github.com/advisories/GHSA-8wg7-wm29-2rvg
github.com/craftcms/webhooks
github.com/craftcms/webhooks/commit/88344991a68b07145567c46dfd0ae3328c521f62
github.com/craftcms/webhooks/security/advisories/GHSA-8wg7-wm29-2rvg
nvd.nist.gov/vuln/detail/CVE-2026-32261

Code Behaviors & Features

Detect and mitigate CVE-2026-32261 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →