CVE-2026-33157

Published: Mar 24, 2026 Last Modified: Mar 24, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,6
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: high
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A

Description

AI Translation Available

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ('as' and 'on' prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.

470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality Availability Other
Potential Impacts:
Execute Unauthorized Code Or Commands Alter Execution Logic Dos: Crash, Exit, Or Restart Other Read Application Data
Applicable Platforms
Languages: Interpreted, Java, PHP
View CWE Details
https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3c…
https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
https://github.com/craftcms/cms/releases/tag/5.9.13
https://github.com/craftcms/cms/releases/tag/5.9.13
https://github.com/craftcms/cms/security/advisories/GHSA-2f…
https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh