Vulnerabilities ›

CVE-2026-33157

High ⚡ Exploit Available

CWE-470 — Weakness Type

                    Published: Mar 24, 2026                      ·  Modified: Mar 30, 2026                      ·  Source: NVD                

CVSS v3

7.2

🔗 NVD Official

📄 Description (English)

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.

🤖 AI Executive Summary

Craft CMS versions 5.6.0 to 5.9.12 contain a Remote Code Execution vulnerability allowing authenticated control panel users to bypass previous security patches through unsanitized fieldLayouts parameter in ElementIndexesController. The vulnerability enables Yii2 behavior and event injection attacks, requiring immediate patching to version 5.9.13 or later.

📄 Description (Arabic)

تؤثر هذه الثغرة على Craft CMS من الإصدار 5.6.0 إلى 5.9.12 وتسمح لأي مستخدم مصرح بالوصول إلى لوحة التحكم بتنفيذ أوامر بعيدة. تحدث الثغرة لأن معامل fieldLayouts في ElementIndexesController::actionFilterHud() يتم تمريره مباشرة إلى FieldLayout::createFromConfig() دون أي تعقيم، مما يسمح بهجمات حقن السلوك والأحداث في Yii2.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 8, 2026 20:36

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government banking telecom

🎯 MITRE ATT&CK Techniques

T1190 T1059 T1543

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Immediately upgrade Craft CMS to version 5.9.13 or later. For organizations unable to upgrade immediately, restrict control panel access to trusted administrators only and implement network segmentation to limit access to the CMS administration interface. Monitor logs for suspicious fieldLayouts parameter usage and behavior injection attempts.

🔧 خطوات المعالجة (العربية)

قم بترقية Craft CMS فوراً إلى الإصدار 5.9.13 أو أحدث. للمنظمات غير القادرة على الترقية فوراً، قيد الوصول إلى لوحة التحكم للمسؤولين الموثوقين فقط وطبق تقسيم الشبكة لتحديد الوصول إلى واجهة إدارة CMS. راقب السجلات للكشف عن محاولات استخدام معامل fieldLayouts المريبة وحقن السلوك.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.9.2.1 A.9.2.5 A.14.2.1

🔵 SAMA CSF

ID.AM-2 PR.DS-1 PR.IP-1

🟡 ISO 27001:2022

A.6.1.1 A.12.6.1 A.14.2.1

🔗 References & Sources 3

🔗

https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e

security-advisories@github.com

Patch

🔗

https://github.com/craftcms/cms/releases/tag/5.9.13

security-advisories@github.com

Release Notes

🔗

https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh

security-advisories@github.com

Exploit Vendor Advisory

📦 Affected Products / CPE 1 entries

craftcms:craft_cms

📊 CVSS Score

7.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredH — High

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.2

CWECWE-470

Exploit ✓ Yes

Patch ✓ Yes

Published 2026-03-24

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

exploit-available patch-available CWE-470

🏢 Vendor Advisories

🔗 https://github.com/craftcms/cms/security/advisories/...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-33157

💬 Comments

Introduce Yourself

Sign In Required