{"id":"CVE-2026-33157","summary":"Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior","details":"Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (\"as\" and \"on\" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.","aliases":["GHSA-2fph-6v5w-89hh"],"modified":"2026-04-10T05:42:38.098296Z","published":"2026-03-24T17:22:00.966Z","database_specific":{"cwe_ids":["CWE-470"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33157.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33157.json"},{"type":"FIX","url":"https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e"},{"type":"WEB","url":"https://github.com/craftcms/cms/releases/tag/5.9.13"},{"type":"ADVISORY","url":"https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33157"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"e14cba6cdca8902c3efb0549a5dc290002b750c2"},{"fixed":"79198636a24ce405d8365e1bc281b3405313ccbf"}],"database_specific":{"versions":[{"introduced":"5.6.0"},{"fixed":"5.9.13"}]}}],"versions":["5.6.0","5.6.0.1","5.6.0.2","5.6.1","5.6.10","5.6.10.1","5.6.10.2","5.6.11","5.6.12","5.6.13","5.6.14","5.6.15","5.6.16","5.6.17","5.6.2","5.6.3","5.6.4","5.6.5","5.6.5.1","5.6.6","5.6.7","5.6.8","5.6.9","5.6.9.1","5.7.0","5.7.1","5.7.1.1","5.7.10","5.7.11","5.7.2","5.7.3","5.7.4","5.7.5","5.7.6","5.7.7","5.7.8","5.7.8.1","5.7.8.2","5.7.9","5.8.0","5.8.1","5.8.10","5.8.11","5.8.12","5.8.13","5.8.13.1","5.8.13.2","5.8.14","5.8.15","5.8.16","5.8.17","5.8.18","5.8.19","5.8.2","5.8.20","5.8.21","5.8.22","5.8.23","5.8.3","5.8.4","5.8.5","5.8.6","5.8.7","5.8.8","5.8.9","5.9.0","5.9.0-beta.1","5.9.0-beta.2","5.9.1","5.9.10","5.9.11","5.9.12","5.9.2","5.9.3","5.9.4","5.9.5","5.9.6","5.9.7","5.9.8","5.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33157.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}