Unrated severityNVD Advisory· Published Jun 21, 2026

Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController

CVE-2026-56382

Description

Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Packagist/CMSinferred
Range: >=5.5.0,<=5.9.13
Package: https://packagist.org/packages/craftcms/cms
Craftcms/Craft CMSllm-fuzzy
Range: >=5.5.0, <=5.9.13

Patches

Vulnerability mechanics

Root cause

"Missing call to Component::cleanseConfig() on the fieldLayoutConfig POST parameter allows Yii2 event handler injection."

Attack vector

An authenticated admin user sends a POST request to `/admin/actions/fields/render-card-preview` with a `fieldLayoutConfig` parameter containing a Yii2 event handler key such as `on init`. Because `Component::cleanseConfig()` is not called, the raw config array is passed to `Fields::createLayout()`, and when the `FieldLayout` object is constructed, Yii2 processes the `on init` key as an event handler registration. During `Component::init()`, the `init` event fires and executes the attacker-supplied PHP function (e.g., `phpinfo`), whose output appears in the HTTP response [ref_id=1].

Affected code

The vulnerability is in `FieldsController::actionRenderCardPreview()`, which passes the `fieldLayoutConfig` POST parameter directly to `Fields::createLayout()` without calling `Component::cleanseConfig()`. This is the same file and pattern as previous fixes in GHSA-4484-8v2f-5748, GHSA-qx2q-q59v-wf3j, and GHSA-2fph-6v5w-89hh [ref_id=1].

What the fix does

The advisory states the fix is in version 5.9.14 but does not include a patch diff. Based on the description, the remediation is to call `Component::cleanseConfig()` on the `fieldLayoutConfig` parameter before passing it to `Fields::createLayout()`, which strips out dangerous Yii2 event handler keys (such as `on init`) from the configuration array, preventing arbitrary PHP function execution [ref_id=1].

Preconditions

authThe attacker must have an active admin session with a valid CraftSessionId and CRAFT_CSRF_TOKEN.
networkThe attacker must be able to send HTTP POST requests to the Craft CMS backend.
inputThe attacker supplies a fieldLayoutConfig parameter containing a Yii2 event handler key (e.g., 'on init').

Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/craftcms/cms/security/advisories/GHSA-86vw-x4ww-x467mitrevendor-advisory
www.vulncheck.com/advisories/craft-cms-remote-code-execution-via-missing-config-sanitization-in-fieldscontrollermitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000