Vulnerability Details CVE-2026-33157
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 13.4%
CVSS Severity
CVSS v3 Score 7.2
References
Products affected by CVE-2026-33157
-
cpe:2.3:a:craftcms:craft_cms:5.6.0
-
cpe:2.3:a:craftcms:craft_cms:5.6.0.1
-
cpe:2.3:a:craftcms:craft_cms:5.6.0.2
-
cpe:2.3:a:craftcms:craft_cms:5.6.1
-
cpe:2.3:a:craftcms:craft_cms:5.6.10
-
cpe:2.3:a:craftcms:craft_cms:5.6.10.1
-
cpe:2.3:a:craftcms:craft_cms:5.6.10.2
-
cpe:2.3:a:craftcms:craft_cms:5.6.11
-
cpe:2.3:a:craftcms:craft_cms:5.6.12
-
cpe:2.3:a:craftcms:craft_cms:5.6.13
-
cpe:2.3:a:craftcms:craft_cms:5.6.14
-
cpe:2.3:a:craftcms:craft_cms:5.6.15
-
cpe:2.3:a:craftcms:craft_cms:5.6.16
-
cpe:2.3:a:craftcms:craft_cms:5.6.17
-
cpe:2.3:a:craftcms:craft_cms:5.6.2
-
cpe:2.3:a:craftcms:craft_cms:5.6.3
-
cpe:2.3:a:craftcms:craft_cms:5.6.4
-
cpe:2.3:a:craftcms:craft_cms:5.6.5
-
cpe:2.3:a:craftcms:craft_cms:5.6.5.1
-
cpe:2.3:a:craftcms:craft_cms:5.6.6
-
cpe:2.3:a:craftcms:craft_cms:5.6.7
-
cpe:2.3:a:craftcms:craft_cms:5.6.8
-
cpe:2.3:a:craftcms:craft_cms:5.6.9
-
cpe:2.3:a:craftcms:craft_cms:5.6.9.1
-
cpe:2.3:a:craftcms:craft_cms:5.7.0
-
cpe:2.3:a:craftcms:craft_cms:5.7.1
-
cpe:2.3:a:craftcms:craft_cms:5.7.1.1
-
cpe:2.3:a:craftcms:craft_cms:5.7.10
-
cpe:2.3:a:craftcms:craft_cms:5.7.11
-
cpe:2.3:a:craftcms:craft_cms:5.7.2
-
cpe:2.3:a:craftcms:craft_cms:5.7.3
-
cpe:2.3:a:craftcms:craft_cms:5.7.4
-
cpe:2.3:a:craftcms:craft_cms:5.7.5
-
cpe:2.3:a:craftcms:craft_cms:5.7.6
-
cpe:2.3:a:craftcms:craft_cms:5.7.7
-
cpe:2.3:a:craftcms:craft_cms:5.7.8
-
cpe:2.3:a:craftcms:craft_cms:5.7.8.1
-
cpe:2.3:a:craftcms:craft_cms:5.7.8.2
-
cpe:2.3:a:craftcms:craft_cms:5.7.9
-
cpe:2.3:a:craftcms:craft_cms:5.8.0
-
cpe:2.3:a:craftcms:craft_cms:5.8.1
-
cpe:2.3:a:craftcms:craft_cms:5.8.10
-
cpe:2.3:a:craftcms:craft_cms:5.8.11
-
cpe:2.3:a:craftcms:craft_cms:5.8.12
-
cpe:2.3:a:craftcms:craft_cms:5.8.13
-
cpe:2.3:a:craftcms:craft_cms:5.8.13.1
-
cpe:2.3:a:craftcms:craft_cms:5.8.13.2
-
cpe:2.3:a:craftcms:craft_cms:5.8.14
-
cpe:2.3:a:craftcms:craft_cms:5.8.15
-
cpe:2.3:a:craftcms:craft_cms:5.8.16
-
cpe:2.3:a:craftcms:craft_cms:5.8.17
-
cpe:2.3:a:craftcms:craft_cms:5.8.18
-
cpe:2.3:a:craftcms:craft_cms:5.8.19
-
cpe:2.3:a:craftcms:craft_cms:5.8.2
-
cpe:2.3:a:craftcms:craft_cms:5.8.20
-
cpe:2.3:a:craftcms:craft_cms:5.8.21
-
cpe:2.3:a:craftcms:craft_cms:5.8.22
-
cpe:2.3:a:craftcms:craft_cms:5.8.23
-
cpe:2.3:a:craftcms:craft_cms:5.8.3
-
cpe:2.3:a:craftcms:craft_cms:5.8.4
-
cpe:2.3:a:craftcms:craft_cms:5.8.5
-
cpe:2.3:a:craftcms:craft_cms:5.8.6
-
cpe:2.3:a:craftcms:craft_cms:5.8.7
-
cpe:2.3:a:craftcms:craft_cms:5.8.8
-
cpe:2.3:a:craftcms:craft_cms:5.8.9
-
cpe:2.3:a:craftcms:craft_cms:5.9.0
-
cpe:2.3:a:craftcms:craft_cms:5.9.1
-
cpe:2.3:a:craftcms:craft_cms:5.9.10
-
cpe:2.3:a:craftcms:craft_cms:5.9.2
-
cpe:2.3:a:craftcms:craft_cms:5.9.3
-
cpe:2.3:a:craftcms:craft_cms:5.9.4
-
cpe:2.3:a:craftcms:craft_cms:5.9.5
-
cpe:2.3:a:craftcms:craft_cms:5.9.6
-
cpe:2.3:a:craftcms:craft_cms:5.9.7
-
cpe:2.3:a:craftcms:craft_cms:5.9.8
-
cpe:2.3:a:craftcms:craft_cms:5.9.9