What API development services do you offer?

We offer REST API development, GraphQL APIs, third-party API integration, Laravel API development, and API security implementation. We also provide DevOps services including AWS infrastructure and CI/CD pipelines.

Where are you based and do you work with clients across the UK?

We're based in Leeds, West Yorkshire, but we work with clients across the entire United Kingdom including London, Manchester, Birmingham, and beyond. We work remotely with businesses throughout Britain.

What technologies do you specialise in?

We specialise in Laravel and PHP for backend development, along with RESTful APIs, GraphQL, Node.js, AWS, Docker, Kubernetes, and CloudFlare. We also work with MySQL and PostgreSQL databases.

Do you provide ongoing support after project completion?

Yes, we offer ongoing support and maintenance packages to ensure your APIs and applications continue running smoothly. This includes monitoring, updates, security patches, and performance optimisation.

Craft CMS: A Wave of CVEs in March 2026 - What You Need to Update

March 2026 has been an unusually active month for Craft CMS security disclosures. Over a dozen CVEs were published between 6 and 18 March, spanning Craft CMS core, Craft Commerce, and three official cloud storage integration plugins. If you manage Craft sites and have not reviewed the patch releases this month, now is the time to do so.

This post covers the disclosures in order of severity, with the update targets you need to reach.

The Critical One: CVE-2026-32267 (CVSS 9.8)

The most severe disclosure is a privilege escalation vulnerability in Craft CMS core affecting both Craft 4 and Craft 5. A low-privilege user - or an unauthenticated user who has been sent a shared preview URL - can escalate their access to full administrator level by abusing the UsersController->actionImpersonateWithToken() endpoint.

The practical impact is complete admin takeover with no admin credentials required. This is the disclosure that should trigger immediate action on any site not yet running Craft 4.17.6 or 5.9.12.

Remote Code Execution via the Conditions System: CVE-2026-31857 (CVSS 8.8)

Any authenticated control panel user - including low-privilege roles such as Author or Editor - can achieve full remote code execution by exploiting the conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled input through renderObjectTemplate(), an unsandboxed Twig rendering function with escaping disabled.

What makes this particularly serious is that it bypasses all production hardening settings: allowAdminChanges: false, devMode: false, and enableTwigSandbox: true are all irrelevant. Any editor-level account is sufficient. Fixed in Craft 4.17.4 and 5.9.9.

SQL Injection via Search Endpoint: CVE-2026-31858 (CVSS 8.8)

The ElementSearchController::actionSearch() endpoint is missing the protection that was applied to ElementIndexesController in a prior CVE. The same SQL injection vector - including criteria[orderBy] - works here because the fix was never ported to this controller.

Any authenticated control panel user can inject arbitrary SQL via criteria[where], criteria[orderBy], or other query properties, and extract the full database contents via boolean-based blind injection. No admin privileges required. Fixed in Craft 5.9.9.

Behaviour Injection RCE: CVE-2026-32263 and CVE-2026-32264 (CVSS 7.2)

Two related vulnerabilities allow RCE via Yii2 behaviour injection in EntryTypesController.php, ElementIndexesController, and FieldsController. In both cases, attacker-controlled input reaches Craft::configure() without being sanitised through Component::cleanseConfig(), allowing injection of arbitrary Yii2 behaviour and event handlers via as or on prefixed keys.

These require control panel administrator permissions with allowAdminChanges enabled, which limits the practical attack surface to compromised admin accounts or insider threats. Fixed in Craft 4.17.5 and 5.9.11.

Path Traversal File Deletion: CVE-2026-32262 (CVSS 4.3)

An authenticated user with replaceFiles permission can delete arbitrary files within the same filesystem root by injecting ../ path traversal sequences into the filename parameter of AssetsController->replaceFile(). This only affects local filesystems and requires the attacker to have the specific replaceFiles permission, but could allow deleting files in other volumes or folders sharing the same root. Fixed in Craft 4.17.5 and 5.9.11.

XSS via Return URL: CVE-2026-31859 (CVSS 6.1)

A previous fix for a return URL vulnerability used strip_tags() to sanitise the URL before storing it in session. However, strip_tags() only removes HTML angle brackets - it does not filter URL schemes. Payloads such as javascript:alert(document.cookie) pass through unmodified and enable reflected XSS when the return URL is rendered in an href attribute. Fixed in Craft 5.9.7 and 4.17.3.

CSRF in Preview Token Endpoint: CVE-2026-29113 (CVSS 4.3)

The /actions/preview/create-token endpoint accepts a user-supplied previewToken value and does not require POST or enforce CSRF protection. An attacker can force a logged-in editor to mint a preview token of the attacker's choosing, then use that token without authentication to access unpublished content within the victim's preview scope. Fixed in Craft 4.17.4 and 5.9.7.

Craft Commerce: SQL Injection and Stored XSS

Craft Commerce received its own batch of fixes on 11 March. The two high-severity disclosures are SQL injection vulnerabilities:

CVE-2026-29174 (8.8) - The sort[0][direction] and sort[0][sortField] parameters in the inventory levels endpoint are concatenated directly into an addOrderBy() clause without validation. An authenticated user with access to the Commerce Inventory section can inject arbitrary SQL and compromise the full database.
CVE-2026-29172 (8.8) - The sort parameter in the purchasables table endpoint passes the column name directly as an array key to orderBy(). Yii2's query builder does not escape array keys, allowing SQL injection into the ORDER BY clause.

A separate IDOR vulnerability (CVE-2026-31867) allows any user to hijack any shopping cart by knowing or guessing its 32-character order number. No ownership validation is performed - the cart just needs to exist and be incomplete. This exposes session takeover and PII leakage for Commerce-powered storefronts.

Additionally, four stored XSS vulnerabilities (CVE-2026-29173, 29175, 29176, 29177) were patched across various Commerce admin views including inventory pages, order details, and inventory location settings.

All Commerce vulnerabilities are fixed in Commerce 4.10.2 (Craft 4) and Commerce 5.5.3 / 5.6.0 (Craft 5).

Cloud Storage Plugins: Unauthenticated Bucket Listing

All three official Craft CMS cloud storage integration plugins received CVEs on 18 March for the same class of vulnerability: an unauthenticated user with a valid CSRF token can call a plugin endpoint and receive a list of storage buckets or containers the plugin has access to.

CVE-2026-32265 - Amazon S3 for Craft CMS. Fixed in 2.2.5.
CVE-2026-32266 - Google Cloud Storage for Craft CMS. Fixed in 2.2.1.
CVE-2026-32268 - Azure Blob Storage for Craft CMS. Fixed in 2.1.1. The Azure disclosure notes that error messages from the Azure SDK can contain sensitive data, expanding the attack surface beyond bucket enumeration.

These plugins are commonly installed on agency-built Craft sites where assets are served from cloud storage. If you use any of them, update immediately.

Webhooks Plugin: Twig SSTI Without Sandbox: CVE-2026-32261

The Webhooks plugin for Craft CMS renders user-supplied template content through Twig's renderString() without sandbox protection. An authenticated user with access to the Webhooks plugin in the control panel can inject Twig code that calls arbitrary PHP functions - even with allowAdminChanges set to false. Fixed in Webhooks 3.2.0.

What to Update

To address all disclosures in this advisory, you need to reach the following versions:

Craft CMS 5 - update to 5.9.12 or later
Craft CMS 4 - update to 4.17.6 or later
Craft Commerce 5 - update to 5.6.0 or later
Craft Commerce 4 - update to 4.11.0 or later
Amazon S3 plugin - update to 2.2.5
Google Cloud Storage plugin - update to 2.2.1
Azure Blob Storage plugin - update to 2.1.1
Webhooks plugin - update to 3.2.0

Run composer update across your Craft projects and verify the installed versions. For sites where allowAdminChanges is disabled in production (as it should be), the two behaviour injection CVEs are lower priority - but the privilege escalation, RCE via conditions, SQL injection, and cloud storage plugin vulnerabilities all require patching regardless of your hardening configuration.

If you manage Craft sites for clients and are concerned about your plugin audit process more broadly, our post on auditing your Craft CMS plugins covers the wider approach.