DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25498: Crafting Chaos: RCE in Craft CMS via Yii2 Behavior Injection

#security #cve #cybersecurity

Crafting Chaos: RCE in Craft CMS via Yii2 Behavior Injection

Vulnerability ID: CVE-2026-25498
CVSS Score: 8.6
Published: 2026-02-09

A high-severity Remote Code Execution (RCE) vulnerability exists in Craft CMS versions 4 and 5, specifically within the assembleLayoutFromPost method. The flaw stems from the unsafe usage of the Yii2 framework's dependency injection container, allowing authenticated administrators to inject malicious configuration arrays. By leveraging Yii2 'Behaviors,' attackers can achieve arbitrary code execution during object instantiation, effectively turning the CMS against its host server.

TL;DR

Authenticated RCE in Craft CMS (v4/v5). The fieldLayout parameter allows attackers to inject Yii2 Behaviors into object creation. By attaching AttributeTypecastBehavior, an attacker can trigger shell commands during server-side validation. Patch immediately to v5.8.22 or v4.16.18.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-25498
  • CVSS v4.0: 8.6 (High)
  • CWE: CWE-470 (Unsafe Reflection)
  • Attack Vector: Network (Authenticated)
  • Impact: Remote Code Execution (RCE)
  • Vulnerable Component: src/services/Fields.php
  • Exploit Status: PoC Available

Affected Systems

  • Craft CMS 4.x (< 4.16.18)
  • Craft CMS 5.x (< 5.8.22)
  • Craft CMS: >= 4.0.0-RC1, < 4.16.18 (Fixed in: 4.16.18)
  • Craft CMS: >= 5.0.0-RC1, < 5.8.22 (Fixed in: 5.8.22)

Code Analysis

Commit: 395c64f

Fixed behavior injection vulnerability in Fields service

--- a/src/services/Fields.php
+++ b/src/services/Fields.php
@@ -1,4 +1,4 @@
- $config = Json::decode(Craft::$app->getRequest()->getBodyParam($paramPrefix . 'fieldLayout'));
+ $config = ComponentHelper::cleanseConfig(Json::decode(Craft::$app->getRequest()->getBodyParam($paramPrefix . 'fieldLayout')));
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update Craft CMS to the latest patched version immediately.
  • Restrict access to the Craft CMS Control Panel to trusted IP addresses only.
  • Implement WAF rules to detect as or on keys in JSON payloads sent to administrative endpoints.

Remediation Steps:

  1. Log in to your server via SSH.
  2. Navigate to your Craft CMS project root.
  3. Run composer update craftcms/cms.
  4. Verify the installed version is >= 4.16.18 or >= 5.8.22.
  5. Check composer.lock to ensure the package is pinned to the secure version.

References

Read the full report for CVE-2026-25498 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)