CVE-2026-33157

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e	Patch
https://github.com/craftcms/cms/releases/tag/5.9.13	Release Notes
https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-24 18:16

Updated : 2026-03-26 17:08

NVD link : CVE-2026-33157

Mitre link : CVE-2026-33157

CVE.ORG link : CVE-2026-33157

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

{"id": "CVE-2026-33157", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-24T18:16:09.590", "references": [{"url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/releases/tag/5.9.13", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-470"}]}], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (\"as\" and \"on\" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13."}, {"lang": "es", "value": "Craft CMS es un sistema de gesti\u00f3n de contenido (CMS). Desde la versi\u00f3n 5.6.0 hasta antes de la versi\u00f3n 5.9.13, existe una vulnerabilidad de Ejecuci\u00f3n Remota de C\u00f3digo (RCE) en Craft CMS, que puede ser explotada por cualquier usuario autenticado con acceso al panel de control. Esto es una elusi\u00f3n de una correcci\u00f3n anterior. Los parches existentes a\u00f1aden cleanseConfig() a assembleLayoutFromPost() y a varias acciones de FieldsController para eliminar las claves de inyecci\u00f3n de comportamiento/evento de Yii2 ('claves prefijadas con 'as' y 'on'). Sin embargo, el par\u00e1metro fieldLayouts en ElementIndexesController::actionFilterHud() se pasa directamente a FieldLayout::createFromConfig() sin ninguna sanitizaci\u00f3n, lo que permite la misma cadena de ataque de inyecci\u00f3n de comportamiento. Este problema ha sido parcheado en la versi\u00f3n 5.9.13."}], "lastModified": "2026-03-26T17:08:13.740", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C315EDAE-A519-409A-873A-E6D840C98A82", "versionEndExcluding": "5.9.13", "versionStartIncluding": "5.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}