Craft CMS, a widely used content management system, suffers from a critical Remote Code Execution vulnerability identified as CVE-2026-33157, classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code, also known as Unsafe Reflection). The vulnerability affects versions from 5.6.0 up to but not including 5.9.13. The root cause is the improper sanitization of the fieldLayouts parameter in the ElementIndexesController::actionFilterHud() method. This parameter is passed directly to FieldLayout::createFromConfig() without cleansing, enabling attackers to inject malicious Yii2 behavior or event keys (such as those prefixed with "as" or "on") that can manipulate the application’s behavior. Previous patches attempted to mitigate this by cleansing inputs in other controller actions and adding cleanseConfig() calls, but the fieldLayouts parameter was overlooked, allowing a bypass of those protections. Exploitation requires an authenticated user with control panel access, which could be a legitimate user or an attacker who has compromised credentials. Successful exploitation can lead to arbitrary code execution on the server, compromising confidentiality, integrity, and availability of the affected system. The vulnerability has a CVSS 4.0 base score of 8.6, reflecting its high severity and the potential for significant impact. The issue was publicly disclosed on March 24, 2026, and fixed in Craft CMS version 5.9.13. No public exploits have been reported yet, but the risk remains high due to the nature of the vulnerability and the widespread use of Craft CMS in web applications.

The impact of CVE-2026-33157 is substantial for organizations using affected versions of Craft CMS. An attacker with authenticated control panel access can execute arbitrary code remotely, potentially leading to full system compromise. This could result in data breaches, defacement of websites, deployment of malware or ransomware, and disruption of business operations. The vulnerability undermines the confidentiality, integrity, and availability of the CMS and any connected systems. Since Craft CMS is used globally by businesses, media companies, and other organizations for website management, the exploitation could affect sensitive data and critical web infrastructure. The requirement for authentication limits the attack surface but does not eliminate risk, as credential theft or insider threats could enable exploitation. Organizations failing to patch may face regulatory penalties if data breaches occur, reputational damage, and operational downtime.

To mitigate this vulnerability, organizations should immediately upgrade Craft CMS to version 5.9.13 or later, where the issue is patched. Prior to upgrading, restrict control panel access to trusted users only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Conduct thorough audits of user accounts and permissions to ensure no unauthorized access is possible. Monitor logs for unusual activity related to the ElementIndexesController or unexpected behavior injection attempts. If upgrading is not immediately feasible, consider implementing web application firewall (WAF) rules to detect and block suspicious payloads targeting the fieldLayouts parameter, although this is a temporary measure. Educate administrators about the risks of unsafe reflection and the importance of applying vendor patches promptly. Finally, review and harden CMS configurations to minimize exposure of sensitive endpoints.