CVE-2026-56382

HIGH

Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController

Title source: cna
STIX 2.1

Description

Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-86vw-x4ww-x467
https://github.com/craftcms/cms/security/advisories/GHSA-86vw-x4ww-x467
Third Party Advisory third-party-advisory
VulnCheck Advisory: Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController
https://www.vulncheck.com/advisories/craft-cms-remote-code-execution-via-missing-config-sanitization-in-fieldscontroller

Scores

CVSS v3 7.2
EPSS 0.0049
EPSS Percentile 38.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (2)
craftcms/cms 5.5.0 - 5.9.14
craftcms/cms 5.9.14
Published Jun 21, 2026
Tracked Since Jun 21, 2026