VYPR
← All advisories
High severityOSV Advisory· Published Jan 5, 2026· Updated Jan 6, 2026

Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior

CVE-2025-68455

Description

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 allow authenticated RCE via malicious Yii Behavior class.

Vulnerability

Craft CMS is vulnerable to authenticated Remote Code Execution (RCE) via a maliciously attached Yii Behavior class [1]. The vulnerability bypasses previous fixes for CVE-2024-4990 and CVE-2024-58136 by leveraging a legitimate Behavior class, yii\behaviors\AttributeTypecastBehavior, to abuse magic __set() and __get() methods, ultimately triggering an arbitrary PHP callable when an event is fired on the affected Yii Component [1].

Exploitation

Attackers must have administrator access to the Craft Control Panel [1]. They can attach the malicious Behavior class using the as <behavior> syntax in JSON POST input [1]. By specifying a wildcard event listener (on *) and defining an arbitrary callable via the Behavior, RCE can be achieved when any event is fired on the component [1].

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code on the server, leading to full compromise of the Craft CMS installation [1].

Mitigation

Versions 5.8.21 and 4.16.17 contain a fix that cleanses configuration input to prevent arbitrary Behavior attachment [1][4]. Users should update immediately.

References
  1. Potential authenticated Remote Code Execution via malicious attached Behavior
  2. Fixed GHSA-255j-qw47-wjh5 · craftcms/cms@27f5588

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/cmsPackagist
>= 5.0.0-RC1, < 5.8.215.8.21
craftcms/cmsPackagist
>= 4.0.0-RC1, < 4.16.174.16.17

Affected products

2

Patches

3
6e608a1a5bfb

Fixed Fixed GHSA-255j-qw47-wjh5, part 2

https://github.com/craftcms/cmsbrandonkellyDec 5, 2025via ghsa
commit
1 file changed · +3 1
  • src/controllers/FieldsController.php+3 1 modified
    @@ -657,7 +657,7 @@ private function _fldComponent(?array &$settings = null): FieldLayoutComponent
 
         $layoutConfig['type'] = $elementType;
 
-        $componentConfig = Component::cleanseConfig($this->request->getBodyParam('config') ?? []);
+        $componentConfig = $this->request->getBodyParam('config') ?? [];
         $componentConfig['elementType'] = $elementType;
         $settingsStr = $this->request->getBodyParam('settings');
 
@@ -668,6 +668,8 @@ private function _fldComponent(?array &$settings = null): FieldLayoutComponent
             $componentConfig = array_merge($componentConfig, $settings);
         }
 
+        $componentConfig = Component::cleanseConfig($componentConfig);
+
         $isTab = false;
 
         foreach ($layoutConfig['tabs'] as &$tabConfig) {
ec43c497edde

Fixed GHSA-255j-qw47-wjh5

https://github.com/craftcms/cmsbrandonkellyDec 5, 2025via ghsa
commit
2 files changed · +3 1
  • CHANGELOG.md+1 0 modified
    @@ -6,6 +6,7 @@
 - Fixed an error that could occur when executing a GraphQL mutation when the `lazyGqlTypes` config setting was enabled. ([#18014](https://github.com/craftcms/cms/issues/18014))
 - Fixed a PHP error that could occur when creating a username that began or ended with an `@`. ([#18123](https://github.com/craftcms/cms/pull/18123))
 - Fixed a bug where assets with disallowed file extensions could be stored in the system’s temp directory. ([#18049](https://github.com/craftcms/cms/pull/18049))
+- Fixed an RCE vulnerability. (GHSA-255j-qw47-wjh5)
 
 ## 4.16.16 - 2025-11-18
  • src/controllers/FieldsController.php+2 1 modified
    @@ -478,6 +478,7 @@ private function _fldComponentConfig(): array
         $settingsNamespace = $this->request->getRequiredBodyParam('settingsNamespace');
         $settingsStr = $this->request->getRequiredBodyParam('settings');
         parse_str($settingsStr, $settings);
-        return array_merge($config, ArrayHelper::getValue($settings, $settingsNamespace, []));
+        $config = array_merge($config, ArrayHelper::getValue($settings, $settingsNamespace, []));
+        return Component::cleanseConfig($config);
     }
 }
27f55886098b

Fixed GHSA-255j-qw47-wjh5

https://github.com/craftcms/cmsbrandonkellyDec 2, 2025via ghsa
commit
2 files changed · +4 3
  • CHANGELOG.md+1 0 modified
    @@ -11,6 +11,7 @@
 - Fixed a bug where relation fields weren’t handling `:empty:`/`:notempty:` element query params properly if the field had multiple instances within a field layout. ([#18092](https://github.com/craftcms/cms/pull/18092))
 - Fixed a bug where user preferences were being respected for users who formerly had access to the control panel.
 - Fixed a bug where nested entries could be reordered when their owner element was resaved programmatically. ([#18121](https://github.com/craftcms/cms/pull/18121))
+- Fixed an RCE vulnerability. (GHSA-255j-qw47-wjh5)
 
 ## 5.8.20 - 2025-11-18
  • src/controllers/FieldsController.php+3 3 modified
    @@ -617,7 +617,7 @@ public function actionRenderCardPreview()
         if (!isset($fieldLayoutConfig['id'])) {
             $fieldLayout = Craft::createObject([
                 'class' => FieldLayout::class,
-                ...$fieldLayoutConfig,
+                ...Component::cleanseConfig($fieldLayoutConfig),
             ]);
             $fieldLayout->type = $fieldLayoutConfig['type'];
         } else {
@@ -649,15 +649,15 @@ private function _fldComponent(?array &$settings = null): FieldLayoutComponent
     {
         $uid = $this->request->getRequiredBodyParam('uid');
         $elementType = $this->request->getRequiredBodyParam('elementType');
-        $layoutConfig = $this->request->getRequiredBodyParam('layoutConfig');
+        $layoutConfig = Component::cleanseConfig($this->request->getRequiredBodyParam('layoutConfig'));
 
         if (!isset($layoutConfig['tabs'])) {
             throw new BadRequestHttpException('Layout config doesn’t have any tabs.');
         }
 
         $layoutConfig['type'] = $elementType;
 
-        $componentConfig = $this->request->getBodyParam('config') ?? [];
+        $componentConfig = Component::cleanseConfig($this->request->getBodyParam('config') ?? []);
         $componentConfig['elementType'] = $elementType;
         $settingsStr = $this->request->getBodyParam('settings');

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.