Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-9enr-b6zd-mbh8
Summary
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
A Remote Code Execution (RCE) vulnerability exists in Craft CMS where the `assembleLayoutFromPost()` function in `src/services/Fields.php` fails to sanitize user-supplied configuration data before passing it to `Craft::createObject()`. This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an **unpatched variant** of the behavior injection vulnerability addressed in GHSA-255j-qw47-wjh5, affecting different endpoints through a separate code path.

---
Aliases
0
alias CVE-2026-25498
1
alias GHSA-7jx7-3846-m7w7
Fixed_packages
0
url pkg:composer/craftcms/cms@4.16.18
purl pkg:composer/craftcms/cms@4.16.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.18
1
url pkg:composer/craftcms/cms@5.8.22
purl pkg:composer/craftcms/cms@5.8.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.22
Affected_packages
0
url pkg:composer/craftcms/cms@4.0.0-RC1
purl pkg:composer/craftcms/cms@4.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-2vn9-2cs3-vbg3
3
vulnerability VCID-7y4f-ef7t-47eb
4
vulnerability VCID-8u2j-17a4-q7eh
5
vulnerability VCID-9enr-b6zd-mbh8
6
vulnerability VCID-akrv-yqnf-1kg8
7
vulnerability VCID-azr5-12f8-hfbm
8
vulnerability VCID-cys8-jnmu-77ec
9
vulnerability VCID-ec34-nvn3-qbcb
10
vulnerability VCID-f7gc-cgka-tycr
11
vulnerability VCID-hyct-5gap-7kdu
12
vulnerability VCID-jeyh-3jxd-z3g6
13
vulnerability VCID-jhen-vhqx-n7dr
14
vulnerability VCID-jxz8-g6fq-dubw
15
vulnerability VCID-kbrc-85av-nfcn
16
vulnerability VCID-m5rf-usae-yfb7
17
vulnerability VCID-ppet-ruae-1kav
18
vulnerability VCID-qwmy-d2e8-5khw
19
vulnerability VCID-qywv-vf4r-8bh9
20
vulnerability VCID-twuy-wzb7-k7g3
21
vulnerability VCID-vasz-rnn1-67ev
22
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.0.0-RC1
1
url pkg:composer/craftcms/cms@5.0.0-RC1
purl pkg:composer/craftcms/cms@5.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-4wkr-jx1w-77hn
4
vulnerability VCID-5mnd-qvaq-k3am
5
vulnerability VCID-5q5g-jrxm-eyhe
6
vulnerability VCID-7y4f-ef7t-47eb
7
vulnerability VCID-8u2j-17a4-q7eh
8
vulnerability VCID-9enr-b6zd-mbh8
9
vulnerability VCID-a3b5-pwyh-yugv
10
vulnerability VCID-akrv-yqnf-1kg8
11
vulnerability VCID-azr5-12f8-hfbm
12
vulnerability VCID-cys8-jnmu-77ec
13
vulnerability VCID-esma-wxje-eqh3
14
vulnerability VCID-fpea-e48p-kfbn
15
vulnerability VCID-hkp9-3hzv-quhk
16
vulnerability VCID-hyct-5gap-7kdu
17
vulnerability VCID-jeyh-3jxd-z3g6
18
vulnerability VCID-jxz8-g6fq-dubw
19
vulnerability VCID-kbrc-85av-nfcn
20
vulnerability VCID-m5rf-usae-yfb7
21
vulnerability VCID-pgm4-svq8-tfc5
22
vulnerability VCID-ppet-ruae-1kav
23
vulnerability VCID-qywv-vf4r-8bh9
24
vulnerability VCID-rb7c-3nkc-gkeg
25
vulnerability VCID-twuy-wzb7-k7g3
26
vulnerability VCID-vasz-rnn1-67ev
27
vulnerability VCID-vvhc-rnpr-ubey
28
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.0.0-RC1
References
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/releases/tag/4.16.18
reference_id
reference_type
scores
url https://github.com/craftcms/cms/releases/tag/4.16.18
2
reference_url https://github.com/craftcms/cms/releases/tag/5.8.22
reference_id
reference_type
scores
url https://github.com/craftcms/cms/releases/tag/5.8.22
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25498
reference_id CVE-2026-25498
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-25498
4
reference_url https://github.com/advisories/GHSA-7jx7-3846-m7w7
reference_id GHSA-7jx7-3846-m7w7
reference_type
scores
url https://github.com/advisories/GHSA-7jx7-3846-m7w7
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
reference_id GHSA-7jx7-3846-m7w7
reference_type
scores
url https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
Weaknesses
0
cwe_id 470
name Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
description The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-9enr-b6zd-mbh8