CVE-2026-33157

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e	Patch
https://github.com/craftcms/cms/releases/tag/5.9.13	Release Notes
https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

History

26 Mar 2026, 17:08

Type	Values Removed	Values Added
CPE		cpe:2.3:a:craftcms:craft_cms::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
First Time		Craftcms Craftcms craft Cms
References	~~() https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e -~~	() https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e - Patch
References	~~() https://github.com/craftcms/cms/releases/tag/5.9.13 -~~	() https://github.com/craftcms/cms/releases/tag/5.9.13 - Release Notes
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh - Exploit, Vendor Advisory
Summary		(es) Craft CMS es un sistema de gestión de contenido (CMS). Desde la versión 5.6.0 hasta antes de la versión 5.9.13, existe una vulnerabilidad de Ejecución Remota de Código (RCE) en Craft CMS, que puede ser explotada por cualquier usuario autenticado con acceso al panel de control. Esto es una elusión de una corrección anterior. Los parches existentes añaden cleanseConfig() a assembleLayoutFromPost() y a varias acciones de FieldsController para eliminar las claves de inyección de comportamiento/evento de Yii2 ('claves prefijadas con 'as' y 'on'). Sin embargo, el parámetro fieldLayouts en ElementIndexesController::actionFilterHud() se pasa directamente a FieldLayout::createFromConfig() sin ninguna sanitización, lo que permite la misma cadena de ataque de inyección de comportamiento. Este problema ha sido parcheado en la versión 5.9.13.

24 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-24 18:16

Updated : 2026-03-26 17:08

NVD link : CVE-2026-33157

Mitre link : CVE-2026-33157

CVE.ORG link : CVE-2026-33157

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

7.2 /10