Impact
The vulnerability results from a missing sanitization step in Craft CMS’s FieldsController::actionRenderCardPreview(), which allows an authenticated administrator to submit a fieldLayoutConfig POST parameter containing Yii2 event handlers such as a custom 'on init' key. By doing so, the attacker can inject arbitrary PHP code that executes within the application context, exposing full control over the web server and enabling disclosure of sensitive information, including database credentials and the CRAFT_SECURITY_KEY. This flaw is a classic code injection weakness (CWE‑94).
Affected Systems
All installations of the craftcms/cms composer package from version 5.5.0 up to and including 5.9.13 are impacted. Any deployed instance that provides administrative access to field layout configuration is vulnerable. The issue is resolved by upgrading to version 5.9.14 or newer.
Risk and Exploitability
The CVSS score of 8.6 signifies a high‑severity flaw. No EPSS score is available and the vulnerability is not yet listed in CISA’s KEV catalog, but it requires authenticated administrator privileges to exploit. Because the flaw permits arbitrary PHP execution, an attacker could compromise confidentiality, integrity, and availability of the affected site and potentially take over the entire application environment.
OpenCVE Enrichment