Description
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
Published: 2026-03-24
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Injected Behavior
Action: Patch Immediately
AI Analysis

Impact

A flaw in Craft CMS versions 5.6.0 to 5.9.12 permits an authenticated user with control‑panel access to execute arbitrary code on the underlying web server. The issue stems from unsanitized configuration data that allows a malicious "as" key to be injected into the field layout system, causing the CMS to instantiate and run arbitrary PHP code. This results in full remote code execution on the host.

Affected Systems

All installations of Craft CMS running between version 5.6.0 and 5.9.12, inclusive, are vulnerable if they expose a control‑panel interface to users. The flaw was fixed in Craft CMS 5.9.13, which cleanses the fieldLayouts parameter in the ElementIndexesController to prevent the injection of behaviors.

Risk and Exploitability

The CVSS score of 8.6 denotes high severity, while the EPSS score of less than 1% indicates it has not yet been widely observed in the wild and the vulnerability is not listed in CISA’s KEV catalog. However, the attack requires no advanced privileges beyond a normal authenticated user, meaning the potential impact remains significant. Administrators should therefore treat this as a critical issue and apply the patch immediately or otherwise eliminate the use of affected versions.

Generated by OpenCVE AI on March 26, 2026 at 19:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.9.13 or later
  • Confirm that all installations run the patched version
  • Restrict control‑panel access to trusted users only
  • Regularly audit field layouts for unexpected changes
  • Monitor logs for suspicious activity related to behavior injection

Generated by OpenCVE AI on March 26, 2026 at 19:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2fph-6v5w-89hh Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior
History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
Title Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior
Weaknesses CWE-470
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T03:56:03.039Z

Reserved: 2026-03-17T21:17:08.886Z

Link: CVE-2026-33157

cve-icon Vulnrichment

Updated: 2026-03-24T18:19:43.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T18:16:09.590

Modified: 2026-03-26T17:08:13.740

Link: CVE-2026-33157

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:59Z

Weaknesses