Craft CMS, a popular content management system, suffers from a Remote Code Execution vulnerability identified as CVE-2026-33157, classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code, also known as Unsafe Reflection). This vulnerability affects versions from 5.6.0 up to but not including 5.9.13. The root cause is that the fieldLayouts parameter in the ElementIndexesController::actionFilterHud() method is passed directly to FieldLayout::createFromConfig() without proper sanitization. Although previous patches introduced cleanseConfig() to sanitize inputs in assembleLayoutFromPost() and various FieldsController actions by stripping Yii2 behavior/event injection keys prefixed with "as" and "on", this particular parameter was overlooked. As a result, an authenticated user with control panel access can inject malicious behavior or event keys, enabling execution of arbitrary code on the server. This vulnerability effectively bypasses prior mitigations and allows attackers to escalate privileges and execute code remotely. The vulnerability has been assigned a CVSS 4.0 score of 8.6 (high severity), reflecting its network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. The issue was publicly disclosed on March 24, 2026, and patched in Craft CMS version 5.9.13. There are no known exploits in the wild at the time of disclosure, but the presence of a bypass to previous fixes increases the risk of exploitation. The vulnerability specifically targets the Yii2 PHP framework behaviors within Craft CMS, emphasizing the importance of input sanitization in dynamic code execution contexts.

The vulnerability allows any authenticated user with control panel access to execute arbitrary code remotely on the server hosting Craft CMS. This can lead to full system compromise, including unauthorized data access, data modification, service disruption, and potential lateral movement within the network. Since Craft CMS is often used to manage websites and digital content, exploitation could result in defacement, data breaches, or deployment of malware to site visitors. The bypass of previous mitigations increases the risk that attackers who have legitimate user credentials or compromised accounts can escalate their privileges and execute malicious payloads. Organizations relying on affected versions face significant risks to confidentiality, integrity, and availability of their web infrastructure and data. The impact is especially critical for enterprises hosting sensitive or regulated data, as well as for service providers managing multiple client sites on Craft CMS.

1. Immediately upgrade Craft CMS to version 5.9.13 or later, where the vulnerability is patched. 2. Restrict control panel access strictly to trusted and authenticated users, employing strong authentication mechanisms such as multi-factor authentication (MFA). 3. Review and audit user accounts with control panel access to ensure no unauthorized or stale accounts exist. 4. Monitor logs for unusual activity related to ElementIndexesController or unexpected behavior/event injection keys. 5. If upgrading immediately is not possible, implement web application firewall (WAF) rules to detect and block suspicious payloads targeting the fieldLayouts parameter or Yii2 behavior/event keys. 6. Conduct a security review of custom plugins or modules that interact with fieldLayouts or dynamic configuration loading to ensure they do not introduce similar unsafe reflection risks. 7. Educate developers and administrators about the risks of unsafe reflection and the importance of input sanitization in dynamic code execution contexts. 8. Regularly update Craft CMS and dependencies to incorporate security patches promptly.