Is CVE-2026-32267 in the CISA Known Exploited Vulnerabilities catalog?

CVE-2026-32267 is not currently listed in the CISA KEV catalog.

Vulnerability intelligence

CVE-2026-32267

An editor creates a blog post. Clicks 'Preview.' Appends one URL parameter. They are now the admin. CVE-2026-32267 exposes a privilege escalation flaw in Craft CMS where preview tokens can be reused to impersonate any user — including the site administrator.

2026

What WebPulse reported · 1 analysis

One URL Parameter Turns a Craft CMS Editor Into an Admin. CVE-2026-32267 Is Authentication Design at Its Worst.

An editor creates a blog post. Clicks 'Preview.' Appends one URL parameter. They are now the admin. CVE-2026-32267 exposes a privilege escalation flaw in Craft

June 20, 2026

View CVE-2026-32267 on the NIST National Vulnerability Database →

Related vulnerabilities

CVE-2026-9082 CVE-2026-8206 CVE-2026-48019 CVE-2026-35273 CVE-2026-11645 CVE-2026-8181 CVE-2026-47291 CVE-2026-45657