CVE-2026-33157

EUVD-2026-14934

24.03.2026, 18:16

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.

Unsafe Reflection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.2 HIGH	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
craftcms	craft_cms	5.6.0 ≤ 𝑥 < 5.9.13

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh

Common Weakness Enumeration

CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

References

https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e

https://github.com/craftcms/cms/releases/tag/5.9.13

https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh