CVE-2026-56382: Remote Code Execution in Craft CMS via Yii2 Event Handler Injection
Vulnerability ID: GHSA-86VW-X4WW-X467
CVSS Score: 8.6
Published: 2026-07-09
CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.
TL;DR
An authenticated administrator can execute arbitrary code remotely in Craft CMS by injecting malicious event handlers in the fieldLayoutConfig parameter targeting the render-card-preview action.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-94
- Attack Vector: Network
- CVSS v4.0 Score: 8.6
- EPSS Score: 0.00493 (Percentile: 38.82%)
- Impact: Remote Code Execution (RCE)
- Exploit Status: Proof-of-Concept
- CISA KEV Status: Not Listed
Affected Systems
- Craft CMS deployments running version 5.5.0 through 5.9.13
-
Craft CMS: >= 5.5.0, <= 5.9.13 (Fixed in:
5.9.14)
Mitigation Strategies
- Upgrade Craft CMS dependencies immediately to version 5.9.14 or later.
- Restrict web access to the administrative control panel using IP whitelist configurations.
- Monitor application logs for suspicious parameters matching on or as keys in fieldLayoutConfig.
Remediation Steps:
- Execute 'composer update craftcms/cms:5.9.14' in the root directory of the application.
- Validate that 'FieldsController.php' now invokes 'Component::cleanseConfig' on the incoming configuration array.
- Verify application functionality by testing card preview generations in the admin dashboard.
- Rotate admin credentials and API secrets if compromised web requests are identified in historical logs.
References
Read the full report for GHSA-86VW-X4WW-X467 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)