CVE-2026-25498

Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748	Patch
https://github.com/craftcms/cms/releases/tag/5.8.22	Release Notes
https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7	Exploit Vendor Advisory Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

19 Feb 2026, 19:20

Type	Values Removed	Values Added
Summary		(es) Craft es una plataforma para crear experiencias digitales. En las versiones 4.0.0-RC1 hasta la 4.16.17 y 5.0.0-RC1 hasta la 5.8.21, existe una vulnerabilidad de ejecución remota de código (RCE) en Craft CMS donde la función assembleLayoutFromPost() en src/services/Fields.PHP no logra sanear los datos de configuración proporcionados por el usuario antes de pasarlos a Craft::createObject(). Esto permite a los administradores autenticados inyectar configuraciones de comportamiento maliciosas de Yii2 que ejecutan comandos de sistema arbitrarios en el servidor. Esta vulnerabilidad representa una variante sin parchear de la vulnerabilidad de inyección de comportamiento abordada en CVE-2025-68455, afectando a diferentes puntos finales a través de una ruta de código separada. Esta vulnerabilidad se corrige en la 5.8.22.
First Time		Craftcms Craftcms craft Cms
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
References	~~() https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748 -~~	() https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748 - Patch
References	~~() https://github.com/craftcms/cms/releases/tag/5.8.22 -~~	() https://github.com/craftcms/cms/releases/tag/5.8.22 - Release Notes
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7 - Exploit, Vendor Advisory, Patch
CPE		cpe:2.3:a:craftcms:craft_cms:::::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::

09 Feb 2026, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-09 20:15

Updated : 2026-02-19 19:20

NVD link : CVE-2026-25498

Mitre link : CVE-2026-25498

CVE.ORG link : CVE-2026-25498

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

7.2 /10