VYPR
← All advisories
High severityNVD Advisory· Published Feb 9, 2026· Updated Feb 10, 2026

Craft has a potential authenticated Remote Code Execution via malicious attached Behavior

CVE-2026-25498

Description

Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Craft CMS suffers from an authenticated RCE via behavior injection in the assembleLayoutFromPost() function, affecting versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21; fixed in 5.8.22.

Vulnerability

Overview

CVE-2026-25498 is a Remote Code Execution (RCE) vulnerability in Craft CMS, affecting versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. The flaw resides in the assembleLayoutFromPost() function within src/services/Fields.php, which fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows an attacker to inject malicious Yii2 behavior configurations, leading to arbitrary command execution on the server [1][2].

Exploitation

Exploitation requires authenticated access with administrative privileges. The attacker can craft a request to the affected endpoint, supplying a malicious behavior configuration using the "as " syntax. Unlike a previously patched variant (CVE-2025-68455) that used a wildcard event listener, this variant leverages the typecastAfterValidate callback and does not require the wildcard syntax, demonstrating multiple entry points for behavior injection [2].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary system commands on the underlying server. This can lead to full compromise of the Craft CMS installation, including data exfiltration, privilege escalation, and lateral movement within the hosting environment [1][2].

Mitigation

The vulnerability is fixed in Craft CMS version 5.8.22 (and presumably 4.16.18, as indicated in the advisory). Users running affected versions should upgrade immediately. No workarounds are mentioned; the only mitigation is applying the patch [2][3].

References
  1. NVD - CVE-2026-25498
  2. Potential authenticated Remote Code Execution via malicious attached Behavior
  3. Release 5.8.22 · craftcms/cms

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/cmsPackagist
>= 5.0.0-RC1, < 5.8.225.8.22
craftcms/cmsPackagist
>= 4.0.0-RC1, < 4.16.184.16.18

Affected products

2

Patches

1
395c64f0b80b

Fixed GHSA-7jx7-3846-m7w7

https://github.com/craftcms/cmsbrandonkellyJan 9, 2026via ghsa
commit
2 files changed · +2 1
  • CHANGELOG.md+1 0 modified
    @@ -10,6 +10,7 @@
 - Fixed a SQL injection vulnerability. (GHSA-2453-mppf-46cj)
 - Fixed an XSS vulnerability. (GHSA-9f5h-mmq6-2x78)
 - Fixed a permission escalation vulnerability. (GHSA-fxp3-g6gw-4r4v)
+- Fixed an RCE vulnerability. (GHSA-7jx7-3846-m7w7)
 
 ## 4.16.17 - 2025-12-0421
  • src/services/Fields.php+1 1 modified
    @@ -1283,7 +1283,7 @@ public function createLayoutElement(array $config): FieldLayoutElement
     public function assembleLayoutFromPost(?string $namespace = null): FieldLayout
     {
         $paramPrefix = $namespace ? rtrim($namespace, '.') . '.' : '';
-        $config = Json::decode(Craft::$app->getRequest()->getBodyParam($paramPrefix . 'fieldLayout'));
+        $config = ComponentHelper::cleanseConfig(Json::decode(Craft::$app->getRequest()->getBodyParam($paramPrefix . 'fieldLayout')));
         return $this->createLayout($config);
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.