Description
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.
Published: 2026-02-09
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

Craft CMS allows authenticated administrators to inject malicious Yii2 behavior configurations when creating or updating fields. The assembleLayoutFromPost() function does not sanitize user-supplied configuration data before passing it to Craft::createObject(), which can lead to arbitrary system command execution on the server. This results in a remote code execution vulnerability that compromises confidentiality, integrity, and availability of the affected installation.

Affected Systems

Vulnerable versions include Craft CMS 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. The issue was fixed in version 5.8.22. The vulnerability affects any instance where administrators can create or update fields with custom configuration data.

Risk and Exploitability

With a CVSS score of 8.6 the vulnerability is considered high severity. The EPSS score is under 1 %, suggesting a low probability of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. However, the flaw requires administrator authentication, so attackers would need valid credentials to exploit it. If acquired, an exploit could allow complete takeover of the web application server.

Generated by OpenCVE AI on April 17, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Craft CMS to version 5.8.22 or later, which contains the fix for the vulnerability.
  • If an upgrade is not immediately possible, limit field configuration editing rights to trusted administrators only and disable the ability to upload or alter behavior configurations where feasible.
  • Continuously monitor system logs for unexpected process creation or execution of unfamiliar commands, and review administrator activity logs for suspicious field updates.

Generated by OpenCVE AI on April 17, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7jx7-3846-m7w7 Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
History

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 09 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.
Title Craft has a potential authenticated Remote Code Execution via malicious attached Behavior
Weaknesses CWE-470
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:59:54.896Z

Reserved: 2026-02-02T16:31:35.824Z

Link: CVE-2026-25498

cve-icon Vulnrichment

Updated: 2026-02-10T15:32:09.713Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:58.510

Modified: 2026-02-19T19:20:46.393

Link: CVE-2026-25498

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses