Description
Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.
Published: 2026-06-21
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability results from a missing sanitization step in Craft CMS’s FieldsController::actionRenderCardPreview(), which allows an authenticated administrator to submit a fieldLayoutConfig POST parameter containing Yii2 event handlers such as a custom 'on init' key. By doing so, the attacker can inject arbitrary PHP code that executes within the application context, exposing full control over the web server and enabling disclosure of sensitive information, including database credentials and the CRAFT_SECURITY_KEY. This flaw is a classic code injection weakness (CWE‑94).

Affected Systems

All installations of the craftcms/cms composer package from version 5.5.0 up to and including 5.9.13 are impacted. Any deployed instance that provides administrative access to field layout configuration is vulnerable. The issue is resolved by upgrading to version 5.9.14 or newer.

Risk and Exploitability

The CVSS score of 8.6 signifies a high‑severity flaw. No EPSS score is available and the vulnerability is not yet listed in CISA’s KEV catalog, but it requires authenticated administrator privileges to exploit. Because the flaw permits arbitrary PHP execution, an attacker could compromise confidentiality, integrity, and availability of the affected site and potentially take over the entire application environment.

Generated by OpenCVE AI on June 21, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.9.14 or later to apply the vendor’s fix.
  • Restrict the ability to edit field layouts so that only authorized administrators can submit fieldLayoutConfig data, and consider disabling the route for users without that role.
  • If current credentials or keys may have been exposed, reset database passwords and regenerate the CRAFT_SECURITY_KEY to mitigate possible credential theft.

Generated by OpenCVE AI on June 21, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 22 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.
Title Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController
First Time appeared Juzaweb
Juzaweb cms
Weaknesses CWE-94
CPEs cpe:2.3:a:juzaweb:cms:*:*:*:*:*:*:*:*
Vendors & Products Juzaweb
Juzaweb cms
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T10:30:06.022Z

Reserved: 2026-06-21T02:05:47.495Z

Link: CVE-2026-56382

cve-icon Vulnrichment

Updated: 2026-06-22T10:29:43.441Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:23Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')