CVE-2026-25498

EUVD-2026-6844

09.02.2026, 20:15

Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.

Unsafe Reflection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.2 HIGH	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Affected Products (NVD)

Vendor	Product	Version
craftcms	craft_cms	4.0.0 < 𝑥 < 4.16.18
craftcms	craft_cms	5.0.0 < 𝑥 < 5.8.22
craftcms	craft_cms	4.0.0
craftcms	craft_cms	4.0.0:rc1
craftcms	craft_cms	4.0.0:rc2
craftcms	craft_cms	4.0.0:rc3
craftcms	craft_cms	5.0.0
craftcms	craft_cms	5.0.0:rc1

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7

Common Weakness Enumeration

CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

References

https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748

https://github.com/craftcms/cms/releases/tag/5.8.22

https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7