CVE-2026-33157

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.x through 5.9.12

Description Craft CMS contains a Remote Code Execution (RCE) issue that bypasses previous security fixes. This allows any authenticated user with control panel access to potentially execute arbitrary code. The issue stems from insufficient sanitization of the fieldLayouts parameter in the ElementIndexesController::actionFilterHud() function, which is passed directly to FieldLayout::createFromConfig() without proper cleansing. Specifically, the fieldLayouts parameter is not processed with cleanseConfig(), unlike the conditionConfig parameter. This enables the injection of Yii2 behavior/event keys (such as "as" and "on" prefixed keys), leading to the instantiation of arbitrary objects and ultimately, the execution of shell commands via a chain of events involving Component:: get(), call user func(), and shell exec().

Recommendations Craft CMS versions 4.x through 5.9.12 should be updated to version 5.9.13 or later.