Craft CMS Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. The issue arises in the 'assembleLayoutFromPost()' function within 'src/services/Fields.php', where user-supplied configuration data is not properly sanitized before being passed to 'Craft::createObject()'. This flaw allows authenticated administrators to inject malicious Yii2 behavior configurations that can execute arbitrary system commands on the server. This vulnerability is an unpatched variant of a similar issue addressed in CVE-2025-68455, affecting different endpoints through a separate code path.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server.

Reproduction

To reproduce this vulnerability, an authenticated administrator must send a POST request to an endpoint that triggers the 'assembleLayoutFromPost()' function in 'Fields.php'. The request must include a 'fieldLayout' parameter with injected Yii2 behavior configurations, such as the 'as rce' key, which exploits the behavior attachment mechanism to execute arbitrary system commands via the 'AttributeTypecastBehavior'.

Remediation

Users can upgrade to Craft CMS versions 5.8.22 or 4.16.18, where this vulnerability has been patched.