Volerion logoVolerion
Volerion logoVolerion

Craft CMS Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in Craft CMS versions 5.6.0 prior to 5.9.13. This vulnerability allows any authenticated user with control panel access to exploit it, bypassing previous security fixes. The issue arises because the 'fieldLayouts' parameter in the 'ElementIndexesController::actionFilterHud()' method is sent directly to 'FieldLayout::createFromConfig()' without proper sanitization. This oversight enables the injection of Yii2 behavior/event keys, which can be exploited to execute arbitrary code.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Craft CMS is running.

Reproduction

To reproduce this vulnerability, an authenticated user with control panel access can send a 'fieldLayouts' array containing configuration data with keys prefixed by 'as' or 'on'. The 'ElementIndexesController::actionFilterHud()' method will process this unsanitized data, allowing the injection of behaviors that can be exploited to execute code remotely.

Remediation

Users can update to Craft CMS version 5.9.13 or later, where this vulnerability has been patched.

Added: Mar 24, 2026, 6:36 PM
Updated: Mar 24, 2026, 6:36 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
10.0
exploitability
5.8
remediation
7.7
relevance
4.6
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.