Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-bqep-3c6u-mqhu
Vulnerability ID VCID-bqep-3c6u-mqhu
Aliases CVE-2026-33157
GHSA-2fph-6v5w-89hh
Summary Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior ## Summary A Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access. The existing patches add `cleanseConfig()` to `assembleLayoutFromPost()` and various `FieldsController` actions to strip Yii2 behavior/event injection keys (`as ` and `on ` prefixed keys). However, the `fieldLayouts` parameter in `ElementIndexesController::actionFilterHud()` is passed directly to `FieldLayout::createFromConfig()` without any sanitization, enabling the same behavior injection attack chain. ## Impact - **Attack Type**: Remote Code Execution (RCE) - **Authentication Required**: Authenticated user with control panel access (`accessCp` permission) ## Vulnerability Details ### Root Cause In `ElementIndexesController::actionFilterHud()` (line 493-494), the `fieldLayouts` body parameter is passed to `FieldLayout::createFromConfig()` without `cleanseConfig()`: ```php // ElementIndexesController.php:485-494 if ($conditionConfig) { $conditionConfig = Component::cleanseConfig($conditionConfig); // conditionConfig IS cleansed $condition = $conditionsService->createCondition($conditionConfig); } else { $condition = $this->elementType()::createCondition(); } if (!empty($fieldLayouts)) { // fieldLayouts is NOT cleansed! $condition->setFieldLayouts(array_map( fn(array $config) => FieldLayout::createFromConfig($config), $fieldLayouts )); } ``` Note the inconsistency: `conditionConfig` is sanitized with `cleanseConfig()`, but `fieldLayouts` is not. ### Attack Chain 1. Send a `fieldLayouts` array containing config with `"as <name>"` prefixed keys 2. `FieldLayout::createFromConfig($config)` -> `new self($config)` -> `Model::__construct($config)` 3. `App::configure($this, $config)` processes each key 4. `"as rce"` key -> `Component::__set("as rce", $value)` -> `Yii::createObject($value)` -> instantiates `AttributeTypecastBehavior` and attaches it to the FieldLayout 5. `"on *"` key -> registers a wildcard event handler 6. `parent::__construct()` -> `init()` -> `setTabs([])` -> `getAvailableNativeFields()` -> `trigger(EVENT_DEFINE_NATIVE_FIELDS)` 7. The wildcard handler fires -> `AttributeTypecastBehavior::beforeSave()` -> `typecastAttributes()` 8. `$this->owner->typecastBeforeSave` -> resolved via `Component::__get()` -> returns the command string from the behavior's own property 9. `call_user_func([ConsoleProcessus::class, 'execute'], $command)` -> `shell_exec($command)` ### Prerequisites - A user account with control panel access
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00101 https://api.first.org/data/v1/epss?cve=CVE-2026-33157
cvssv4 8.7 https://github.com/advisories/GHSA-255j-qw47-wjh5
generic_textual HIGH https://github.com/advisories/GHSA-255j-qw47-wjh5
cvssv4 8.7 https://github.com/advisories/GHSA-7jx7-3846-m7w7
generic_textual HIGH https://github.com/advisories/GHSA-7jx7-3846-m7w7
cvssv4 8.7 https://github.com/craftcms/cms
generic_textual HIGH https://github.com/craftcms/cms
cvssv4 8.6 https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
cvssv4 8.7 https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
generic_textual HIGH https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
ssvc Track https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
cvssv4 8.6 https://github.com/craftcms/cms/releases/tag/5.9.13
cvssv4 8.7 https://github.com/craftcms/cms/releases/tag/5.9.13
generic_textual HIGH https://github.com/craftcms/cms/releases/tag/5.9.13
ssvc Track https://github.com/craftcms/cms/releases/tag/5.9.13
cvssv4 8.6 https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh
cvssv4 8.7 https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh
generic_textual HIGH https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh
ssvc Track https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh
cvssv4 8.7 https://nvd.nist.gov/vuln/detail/CVE-2026-33157
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-33157
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-33157
https://github.com/craftcms/cms
https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
https://github.com/craftcms/cms/releases/tag/5.9.13
https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh
https://nvd.nist.gov/vuln/detail/CVE-2026-33157
GHSA-255j-qw47-wjh5 https://github.com/advisories/GHSA-255j-qw47-wjh5
GHSA-2fph-6v5w-89hh https://github.com/advisories/GHSA-2fph-6v5w-89hh
GHSA-7jx7-3846-m7w7 https://github.com/advisories/GHSA-7jx7-3846-m7w7
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/advisories/GHSA-255j-qw47-wjh5
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/advisories/GHSA-7jx7-3846-m7w7
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/ Found at https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/releases/tag/5.9.13
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/releases/tag/5.9.13
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/ Found at https://github.com/craftcms/cms/releases/tag/5.9.13
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-24T18:19:28Z/ Found at https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33157
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.27421
EPSS Score 0.00101
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:58:17.538388+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-2fph-6v5w-89hh/GHSA-2fph-6v5w-89hh.json 38.6.0