Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior
Description
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.6.0, < 5.9.13 | 5.9.13 |
Affected products
1Patches
12 files changed · +5 −1
CHANGELOG.md+1 −0 modified@@ -10,6 +10,7 @@ - Fixed a bug where drafts within “My Drafts” widgets weren’t getting hyperlinked. ([#18456](https://github.com/craftcms/cms/issues/18456)) - Fixed a bug where nested entries were getting assigned new IDs if they were edited multiple times for the same owner element draft. ([#18461](https://github.com/craftcms/cms/issues/18461)) - Fixed a bug where the “New Tab” button within field layout designers could be positioned incorrectly. ([#18450](https://github.com/craftcms/cms/issues/18450)) +- Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) RCE vulnerability. ([GHSA-2fph-6v5w-89hh](https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh)) - Fixed a [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) path traversal vulnerability. (GHSA-472v-j2g4-g9h2) ## 5.9.12 - 2026-02-18
src/controllers/ElementIndexesController.php+4 −1 modified@@ -491,7 +491,10 @@ public function actionFilterHud(): Response } if (!empty($fieldLayouts)) { - $condition->setFieldLayouts(array_map(fn(array $config) => FieldLayout::createFromConfig($config), $fieldLayouts)); + $condition->setFieldLayouts(array_map( + fn(array $config) => FieldLayout::createFromConfig($config), + Component::cleanseConfig($fieldLayouts), + )); } $condition->mainTag = 'div';
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-255j-qw47-wjh5ghsaADVISORY
- github.com/advisories/GHSA-2fph-6v5w-89hhghsaADVISORY
- github.com/advisories/GHSA-7jx7-3846-m7w7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33157ghsaADVISORY
- github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4eghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/5.9.13ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hhghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.