{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33157", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.886Z", "datePublished": "2026-03-24T17:22:00.966Z", "dateUpdated": "2026-03-25T03:56:03.039Z"}, "containers": {"cna": {"title": "Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior", "problemTypes": [{"descriptions": [{"cweId": "CWE-470", "lang": "en", "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh"}, {"name": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e"}, {"name": "https://github.com/craftcms/cms/releases/tag/5.9.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/releases/tag/5.9.13"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.6.0, < 5.9.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T17:22:00.966Z"}, "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (\"as\" and \"on\" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13."}], "source": {"advisory": "GHSA-2fph-6v5w-89hh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33157"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T03:56:03.039Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33157", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T18:19:28.474792Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:19:43.808Z"}}], "cna": {"title": "Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior", "source": {"advisory": "GHSA-2fph-6v5w-89hh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 5.6.0, < 5.9.13"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e", "name": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/releases/tag/5.9.13", "name": "https://github.com/craftcms/cms/releases/tag/5.9.13", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (\"as\" and \"on\" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-470", "description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T17:22:00.966Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33157", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:19:46.591Z", "dateReserved": "2026-03-17T21:17:08.886Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-24T17:22:00.966Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "C315EDAE-A519-409A-873A-E6D840C98A82", "versionEndExcluding": "5.9.13", "versionStartIncluding": "5.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (\"as\" and \"on\" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13."}, {"lang": "es", "value": "Craft CMS es un sistema de gesti\u00f3n de contenido (CMS). Desde la versi\u00f3n 5.6.0 hasta antes de la versi\u00f3n 5.9.13, existe una vulnerabilidad de Ejecuci\u00f3n Remota de C\u00f3digo (RCE) en Craft CMS, que puede ser explotada por cualquier usuario autenticado con acceso al panel de control. Esto es una elusi\u00f3n de una correcci\u00f3n anterior. Los parches existentes a\u00f1aden cleanseConfig() a assembleLayoutFromPost() y a varias acciones de FieldsController para eliminar las claves de inyecci\u00f3n de comportamiento/evento de Yii2 ('claves prefijadas con 'as' y 'on'). Sin embargo, el par\u00e1metro fieldLayouts en ElementIndexesController::actionFilterHud() se pasa directamente a FieldLayout::createFromConfig() sin ninguna sanitizaci\u00f3n, lo que permite la misma cadena de ataque de inyecci\u00f3n de comportamiento. Este problema ha sido parcheado en la versi\u00f3n 5.9.13."}], "id": "CVE-2026-33157", "lastModified": "2026-03-26T17:08:13.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T18:16:09.590", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/craftcms/cms/releases/tag/5.9.13"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-470"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.6.0,5.9.13)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-03-24T18:52:25.781135+00:00", "value": {"mitigation_remediation": ["Update Craft CMS to version 5.9.13 or newer where the fieldLayouts injection check is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Craft CMS content\u2011management system, specifically any instance running from version 5.6.0 up to, but not including, version 5.9.13.\n", "description_and_impact": "Craft CMS versions 5.6.0 through before 5.9.13 contain a flaw that allows any authenticated user with control panel access to submit a field layout containing malicious behavior definitions, bypassing the normal sanitization that removes Yii2 behavior/event injection keys. This injection path leads to remote code execution, giving attackers the ability to run arbitrary code on the server with the process owner\u2019s privileges.\n", "risk_and_exploitability": "The CVSS score of 8.6 indicates high severity, but the exploit requires authenticated control panel permissions, reducing its exposure compared to unauthenticated attacks. EPSS data is unavailable, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting it may not yet be widely exploited. The attack vector is inferred to be an authenticated user leveraging the control panel to submit the malicious layout.\n"}}}}, "created": "2026-03-25T11:47:01.302176+00:00", "updated": "2026-03-25T20:49:47.003570+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}