Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-2fph-6v5w-89hh

Опубликовано: 24 мар. 2026
Источник: github
Github: Прошло ревью
CVSS4: 8.7

Описание

Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior

Summary

A Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access.

The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (as and on prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain.

Impact

  • Attack Type: Remote Code Execution (RCE)
  • Authentication Required: Authenticated user with control panel access (accessCp permission)

Vulnerability Details

Root Cause

In ElementIndexesController::actionFilterHud() (line 493-494), the fieldLayouts body parameter is passed to FieldLayout::createFromConfig() without cleanseConfig():

// ElementIndexesController.php:485-494 if ($conditionConfig) { $conditionConfig = Component::cleanseConfig($conditionConfig); // conditionConfig IS cleansed $condition = $conditionsService->createCondition($conditionConfig); } else { $condition = $this->elementType()::createCondition(); } if (!empty($fieldLayouts)) { // fieldLayouts is NOT cleansed! $condition->setFieldLayouts(array_map( fn(array $config) => FieldLayout::createFromConfig($config), $fieldLayouts )); }

Note the inconsistency: conditionConfig is sanitized with cleanseConfig(), but fieldLayouts is not.

Attack Chain

  1. Send a fieldLayouts array containing config with "as <name>" prefixed keys
  2. FieldLayout::createFromConfig($config) -> new self($config) -> Model::__construct($config)
  3. App::configure($this, $config) processes each key
  4. "as rce" key -> Component::__set("as rce", $value) -> Yii::createObject($value) -> instantiates AttributeTypecastBehavior and attaches it to the FieldLayout
  5. "on *" key -> registers a wildcard event handler
  6. parent::__construct() -> init() -> setTabs([]) -> getAvailableNativeFields() -> trigger(EVENT_DEFINE_NATIVE_FIELDS)
  7. The wildcard handler fires -> AttributeTypecastBehavior::beforeSave() -> typecastAttributes()
  8. $this->owner->typecastBeforeSave -> resolved via Component::__get() -> returns the command string from the behavior's own property
  9. call_user_func([ConsoleProcessus::class, 'execute'], $command) -> shell_exec($command)

Prerequisites

  • A user account with control panel access

Ссылки

Пакеты

Наименование

craftcms/cms

composer
Затронутые версииВерсия исправления

>= 5.6.0, <= 5.9.12

5.9.13

EPSS

Процентиль: 18%
0.00057
Низкий

8.7 High

CVSS4

CVE ID

CVE-2026-33157

Дефекты

CWE-470

Связанные уязвимости

nvd логотип

CVE-2026-33157

CVSS3: 7.2
nvd
17 дней назад

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.

EPSS

Процентиль: 18%
0.00057
Низкий

8.7 High

CVSS4

CVE ID

CVE-2026-33157

Дефекты

CWE-470