DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-86VW-X4WW-X467: CVE-2026-56382: Remote Code Execution in Craft CMS via Yii2 Event Handler Injection

CVE-2026-56382: Remote Code Execution in Craft CMS via Yii2 Event Handler Injection

Vulnerability ID: GHSA-86VW-X4WW-X467
CVSS Score: 8.6
Published: 2026-07-09

CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.

TL;DR

An authenticated administrator can execute arbitrary code remotely in Craft CMS by injecting malicious event handlers in the fieldLayoutConfig parameter targeting the render-card-preview action.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94
  • Attack Vector: Network
  • CVSS v4.0 Score: 8.6
  • EPSS Score: 0.00493 (Percentile: 38.82%)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof-of-Concept
  • CISA KEV Status: Not Listed

Affected Systems

  • Craft CMS deployments running version 5.5.0 through 5.9.13
  • Craft CMS: >= 5.5.0, <= 5.9.13 (Fixed in: 5.9.14)

Mitigation Strategies

  • Upgrade Craft CMS dependencies immediately to version 5.9.14 or later.
  • Restrict web access to the administrative control panel using IP whitelist configurations.
  • Monitor application logs for suspicious parameters matching on or as keys in fieldLayoutConfig.

Remediation Steps:

  1. Execute 'composer update craftcms/cms:5.9.14' in the root directory of the application.
  2. Validate that 'FieldsController.php' now invokes 'Component::cleanseConfig' on the incoming configuration array.
  3. Verify application functionality by testing card preview generations in the admin dashboard.
  4. Rotate admin credentials and API secrets if compromised web requests are identified in historical logs.

References


Read the full report for GHSA-86VW-X4WW-X467 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)