Skip to main content

PHP CVE-2026-33157

| EUVDEUVD-2026-14934 HIGH
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)
2026-03-24 https://github.com/craftcms/cms GHSA-2fph-6v5w-89hh
8.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 17:00 euvd
EUVD-2026-14934
Analysis Generated
Mar 24, 2026 - 17:00 vuln.today
Patch released
Mar 24, 2026 - 17:00 nvd
Patch available
CVE Published
Mar 24, 2026 - 16:50 nvd
HIGH 8.6

DescriptionGitHub Advisory

Summary

A Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access.

The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (as and on prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain.

Impact

  • Attack Type: Remote Code Execution (RCE)
  • Authentication Required: Authenticated user with control panel access (accessCp permission)

Vulnerability Details

Root Cause

In ElementIndexesController::actionFilterHud() (line 493-494), the fieldLayouts body parameter is passed to FieldLayout::createFromConfig() without cleanseConfig():

php
// ElementIndexesController.php:485-494
if ($conditionConfig) {
    $conditionConfig = Component::cleanseConfig($conditionConfig); // conditionConfig IS cleansed
    $condition = $conditionsService->createCondition($conditionConfig);
} else {
    $condition = $this->elementType()::createCondition();
}

if (!empty($fieldLayouts)) {
    // fieldLayouts is NOT cleansed!
    $condition->setFieldLayouts(array_map(
        fn(array $config) => FieldLayout::createFromConfig($config),
        $fieldLayouts
    ));
}

Note the inconsistency: conditionConfig is sanitized with cleanseConfig(), but fieldLayouts is not.

Attack Chain

  1. Send a fieldLayouts array containing config with "as <name>" prefixed keys
  2. FieldLayout::createFromConfig($config) -> new self($config) -> Model::__construct($config)
  3. App::configure($this, $config) processes each key
  4. "as rce" key -> Component::__set("as rce", $value) -> Yii::createObject($value) -> instantiates AttributeTypecastBehavior and attaches it to the FieldLayout
  5. "on *" key -> registers a wildcard event handler
  6. parent::__construct() -> init() -> setTabs([]) -> getAvailableNativeFields() -> trigger(EVENT_DEFINE_NATIVE_FIELDS)
  7. The wildcard handler fires -> AttributeTypecastBehavior::beforeSave() -> typecastAttributes()
  8. $this->owner->typecastBeforeSave -> resolved via Component::__get() -> returns the command string from the behavior's own property
  9. call_user_func([ConsoleProcessus::class, 'execute'], $command) -> shell_exec($command)

Prerequisites

  • A user account with control panel access

AnalysisAI

A Remote Code Execution vulnerability exists in Craft CMS versions 4.x and 5.x that bypasses previous security patches for behavior injection attacks. An authenticated user with control panel access can exploit an unsanitized fieldLayouts parameter in the ElementIndexesController to inject malicious Yii2 behaviors and achieve arbitrary code execution. While no active exploitation (KEV) is documented, a patch is available and the vulnerability requires only low-privilege authenticated access, making it a significant risk for deployments with multiple control panel users.

Technical ContextAI

This vulnerability affects Craft CMS (pkg:composer/craftcms_cms), a popular PHP-based content management system built on the Yii2 framework. The root cause is CWE-470 (Use of Externally-Controlled Input to Select Classes or Code), specifically through Yii2's behavior attachment mechanism. Previous fixes (GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5) added cleanseConfig() sanitization to strip 'as ' and 'on ' prefixed keys that enable behavior/event injection, but the ElementIndexesController::actionFilterHud() method was overlooked. When fieldLayouts configuration is passed to FieldLayout::createFromConfig() without sanitization, attackers can inject AttributeTypecastBehavior objects with crafted properties that trigger shell_exec() during the object lifecycle, specifically when init() fires EVENT_DEFINE_NATIVE_FIELDS and the typecastAttributes() chain executes.

RemediationAI

Upgrade Craft CMS to version 5.9.13 or later, which includes the patch commit 97e90b4bdee369c1af3ca77a77531132df240e4e that adds proper cleanseConfig() sanitization to the ElementIndexesController::actionFilterHud() method. The patch and release information are available at https://github.com/craftcms/cms/releases/tag/5.9.13 and the security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh. As an interim mitigation, restrict control panel access to only highly trusted users and implement network-level access controls to limit who can reach the control panel login. Review existing user permissions and revoke accessCp permission for any accounts that do not require administrative access, as this is the prerequisite for exploitation.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy