CVE-2026-44011: CWE-479: Signal Handler Use of a Non-reentrant Function in craftcms cms
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.
AI Analysis
Technical Summary
Craft CMS has an input-handling vulnerability in versions >=4.0.0,<4.17.12 and >=5.0.0,<5.9.18 where authenticated users can inject malicious configuration via the condition field layouts data. This data is converted into a live FieldLayout object without passing through Component::cleanseConfig(), allowing attacker-controlled special config keys to take effect during object creation. Because Craft CMS configures models before calling the parent constructor, this leads to execution of attacker-controlled code triggered by same-request events during FieldLayout initialization. The vulnerability is identified as CWE-479 (Signal Handler Use of a Non-reentrant Function) and has a CVSS 4.0 score of 8.6 (high severity). It is fixed in versions 4.17.12 and 5.9.18.
Potential Impact
An authenticated user can exploit this vulnerability to inject malicious configuration and execute arbitrary commands on the server hosting Craft CMS. This can lead to full compromise of the affected system. The vulnerability affects multiple major versions of Craft CMS prior to the fixed releases 4.17.12 and 5.9.18.
Mitigation Recommendations
Upgrade Craft CMS to version 4.17.12 or later, or 5.9.18 or later, where this vulnerability is fixed. Patch status is confirmed by the vendor's versioning and fixed releases. No alternative mitigations are indicated.
CVE-2026-44011: CWE-479: Signal Handler Use of a Non-reentrant Function in craftcms cms
Description
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Craft CMS has an input-handling vulnerability in versions >=4.0.0,<4.17.12 and >=5.0.0,<5.9.18 where authenticated users can inject malicious configuration via the condition field layouts data. This data is converted into a live FieldLayout object without passing through Component::cleanseConfig(), allowing attacker-controlled special config keys to take effect during object creation. Because Craft CMS configures models before calling the parent constructor, this leads to execution of attacker-controlled code triggered by same-request events during FieldLayout initialization. The vulnerability is identified as CWE-479 (Signal Handler Use of a Non-reentrant Function) and has a CVSS 4.0 score of 8.6 (high severity). It is fixed in versions 4.17.12 and 5.9.18.
Potential Impact
An authenticated user can exploit this vulnerability to inject malicious configuration and execute arbitrary commands on the server hosting Craft CMS. This can lead to full compromise of the affected system. The vulnerability affects multiple major versions of Craft CMS prior to the fixed releases 4.17.12 and 5.9.18.
Mitigation Recommendations
Upgrade Craft CMS to version 4.17.12 or later, or 5.9.18 or later, where this vulnerability is fixed. Patch status is confirmed by the vendor's versioning and fixed releases. No alternative mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T21:24:36.505Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0392cfcbff5d861018bb81
Added to database: 5/12/2026, 8:51:27 PM
Last enriched: 5/12/2026, 9:07:06 PM
Last updated: 5/13/2026, 4:51:51 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.