CVE-2026-33157

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33157

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33157.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33157

Aliases

GHSA-2fph-6v5w-89hh

Published

2026-03-24T17:22:00.966Z

Modified

2026-04-10T05:42:38.098296Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior

Details

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.

Database specific

{
    "cwe_ids": [
        "CWE-470"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33157.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/craftcms/cms

Affected ranges

Type

GIT

Repo

https://github.com/craftcms/cms

Events

Introduced

e14cba6cdca8902c3efb0549a5dc290002b750c2

Fixed

79198636a24ce405d8365e1bc281b3405313ccbf

Database specific

{
    "versions": [
        {
            "introduced": "5.6.0"
        },
        {
            "fixed": "5.9.13"
        }
    ]
}

Affected versions

5.*

5.6.0

5.6.0.1

5.6.0.2

5.6.1

5.6.10

5.6.10.1

5.6.10.2

5.6.11

5.6.12

5.6.13

5.6.14

5.6.15

5.6.16

5.6.17

5.6.2

5.6.3

5.6.4

5.6.5

5.6.5.1

5.6.6

5.6.7

5.6.8

5.6.9

5.6.9.1

5.7.0

5.7.1

5.7.1.1

5.7.10

5.7.11

5.7.2

5.7.3

5.7.4

5.7.5

5.7.6

5.7.7

5.7.8

5.7.8.1

5.7.8.2

5.7.9

5.8.0

5.8.1

5.8.10

5.8.11

5.8.12

5.8.13

5.8.13.1

5.8.13.2

5.8.14

5.8.15

5.8.16

5.8.17

5.8.18

5.8.19

5.8.2

5.8.20

5.8.21

5.8.22

5.8.23

5.8.3

5.8.4

5.8.5

5.8.6

5.8.7

5.8.8

5.8.9

5.9.0

5.9.0-beta.1

5.9.0-beta.2

5.9.1

5.9.10

5.9.11

5.9.12

5.9.2

5.9.3

5.9.4

5.9.5

5.9.6

5.9.7

5.9.8

5.9.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33157.json"