Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
A Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access.
The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (as and on prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain.
Impact
- Attack Type: Remote Code Execution (RCE)
- Authentication Required: Authenticated user with control panel access (
accessCppermission)
Vulnerability Details
Root Cause
In ElementIndexesController::actionFilterHud() (line 493-494), the fieldLayouts body parameter is passed to FieldLayout::createFromConfig() without cleanseConfig():
// ElementIndexesController.php:485-494
if ($conditionConfig) {
$conditionConfig = Component::cleanseConfig($conditionConfig); // conditionConfig IS cleansed
$condition = $conditionsService->createCondition($conditionConfig);
} else {
$condition = $this->elementType()::createCondition();
}
if (!empty($fieldLayouts)) {
// fieldLayouts is NOT cleansed!
$condition->setFieldLayouts(array_map(
fn(array $config) => FieldLayout::createFromConfig($config),
$fieldLayouts
));
}Note the inconsistency: conditionConfig is sanitized with cleanseConfig(), but fieldLayouts is not.
Attack Chain
- Send a
fieldLayoutsarray containing config with"as <name>"prefixed keys FieldLayout::createFromConfig($config)->new self($config)->Model::__construct($config)App::configure($this, $config)processes each key"as rce"key ->Component::__set("as rce", $value)->Yii::createObject($value)-> instantiatesAttributeTypecastBehaviorand attaches it to the FieldLayout"on *"key -> registers a wildcard event handlerparent::__construct()->init()->setTabs([])->getAvailableNativeFields()->trigger(EVENT_DEFINE_NATIVE_FIELDS)- The wildcard handler fires ->
AttributeTypecastBehavior::beforeSave()->typecastAttributes() $this->owner->typecastBeforeSave-> resolved viaComponent::__get()-> returns the command string from the behavior's own propertycall_user_func([ConsoleProcessus::class, 'execute'], $command)->shell_exec($command)
Prerequisites
- A user account with control panel access
AnalysisAI
A Remote Code Execution vulnerability exists in Craft CMS versions 4.x and 5.x that bypasses previous security patches for behavior injection attacks. An authenticated user with control panel access can exploit an unsanitized fieldLayouts parameter in the ElementIndexesController to inject malicious Yii2 behaviors and achieve arbitrary code execution. While no active exploitation (KEV) is documented, a patch is available and the vulnerability requires only low-privilege authenticated access, making it a significant risk for deployments with multiple control panel users.
Technical ContextAI
This vulnerability affects Craft CMS (pkg:composer/craftcms_cms), a popular PHP-based content management system built on the Yii2 framework. The root cause is CWE-470 (Use of Externally-Controlled Input to Select Classes or Code), specifically through Yii2's behavior attachment mechanism. Previous fixes (GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5) added cleanseConfig() sanitization to strip 'as ' and 'on ' prefixed keys that enable behavior/event injection, but the ElementIndexesController::actionFilterHud() method was overlooked. When fieldLayouts configuration is passed to FieldLayout::createFromConfig() without sanitization, attackers can inject AttributeTypecastBehavior objects with crafted properties that trigger shell_exec() during the object lifecycle, specifically when init() fires EVENT_DEFINE_NATIVE_FIELDS and the typecastAttributes() chain executes.
RemediationAI
Upgrade Craft CMS to version 5.9.13 or later, which includes the patch commit 97e90b4bdee369c1af3ca77a77531132df240e4e that adds proper cleanseConfig() sanitization to the ElementIndexesController::actionFilterHud() method. The patch and release information are available at https://github.com/craftcms/cms/releases/tag/5.9.13 and the security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh. As an interim mitigation, restrict control panel access to only highly trusted users and implement network-level access controls to limit who can reach the control panel login. Review existing user permissions and revoke accessCp permission for any accounts that do not require administrative access, as this is the prerequisite for exploitation.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14934
GHSA-2fph-6v5w-89hh