VYPR
Get started
← All advisories
High severity8.6GHSA Advisory· Published May 12, 2026· Updated May 13, 2026

CVE-2026-44011

CVE-2026-44011

Description

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.

Affected products

1

Patches

1
ab85ca7f5f92

Fixed an RCE vulnerability

https://github.com/craftcms/cmsbrandonkellyMar 26, 2026via ghsa
commit
3 files changed · +12 1
  • CHANGELOG.md+1 0 modified
    @@ -5,6 +5,7 @@
 - Fixed a bug where GraphQL results were getting cached even if they contained transform generation URLs. ([#18581](https://github.com/craftcms/cms/issues/18581))
 - Fixed a bug where `aria-activedescendant`, `aria-flowto`, and `aria-owns` attributes weren’t getting namespaced by `{% namespace %}` tags. ([#18577](https://github.com/craftcms/cms/issues/18577))
 - Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) information disclosure vulnerability. (GHSA-gj2p-p9m4-c8gw)
+- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) RCE vulnerability.
 
 ## 4.17.11 - 2026-03-17
  • src/controllers/ElementIndexesController.php+5 0 modified
    @@ -517,6 +517,10 @@ protected function condition(): ?ElementConditionInterface
             return null;
         }
 
+        if (is_array($conditionConfig)) {
+            $conditionConfig = Component::cleanseConfig($conditionConfig);
+        }
+
         $condition = Craft::$app->getConditions()->createCondition($conditionConfig);
 
         if ($condition instanceof ElementCondition) {
@@ -536,6 +540,7 @@ protected function condition(): ?ElementConditionInterface
             }
         }
 
+        /** @var ElementConditionInterface $condition */
         return $condition;
     }
  • src/controllers/ElementIndexSettingsController.php+6 1 modified
    @@ -12,6 +12,7 @@
 use craft\base\PreviewableFieldInterface;
 use craft\elements\conditions\ElementConditionInterface;
 use craft\helpers\ArrayHelper;
+use craft\helpers\Component;
 use craft\models\UserGroup;
 use craft\services\ElementSources;
 use craft\services\ProjectConfig;
@@ -263,9 +264,13 @@ public function actionSaveCustomizeSourcesModalSettings(): Response
                     }
 
                     if ($isCustom) {
+                        $conditionConfig = $postedSettings['condition'];
+                        if (is_array($conditionConfig)) {
+                            $conditionConfig = Component::cleanseConfig($conditionConfig);
+                        }
                         $sourceConfig += [
                             'label' => $postedSettings['label'],
-                            'condition' => $conditionsService->createCondition($postedSettings['condition'])->getConfig(),
+                            'condition' => $conditionsService->createCondition($conditionConfig)->getConfig(),
                         ];
 
                         if (isset($postedSettings['sites']) && $postedSettings['sites'] !== '*') {

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.