Craft CMS Remote Code Execution Vulnerability in Conditions System

A remote code execution vulnerability has been identified in Craft CMS versions 5.0.0-RC1 through 5.9.8 and 4.0.0-beta.1 through 4.17.3. The issue arises in the conditions system, where the BaseElementSelectConditionRule::getElementIds() method improperly handles user-controlled string input. This input is passed to renderObjectTemplate(), an unsandboxed Twig rendering function that disables escaping. Any authenticated Control Panel user, including those with non-admin roles such as Author or Editor, can exploit this vulnerability by sending a crafted condition rule through standard element listing endpoints. The vulnerability bypasses all production hardening settings and requires no special permissions beyond basic Control Panel access.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Craft CMS is hosted.

Remediation

Users are advised to update to Craft CMS versions 5.9.9 or 4.17.4, both of which include the necessary patch. Instructions for updating can be found in the Craft CMS documentation.