CVE-2026-44011

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0 through 4.17.11 Craft CMS versions 5.0.0 through 5.9.17

Description An input-handling flaw in a Yii object creation path allows authenticated users to inject malicious configuration and execute arbitrary commands on the server. The issue occurs because request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Since models are configured before parent:: construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization triggers a same-request event. This can be exploited via a POST request to the '/admin/actions/element-search/search' endpoint or other element-indexes actions using the condition parameter.

Recommendations Update to version 4.17.12. Update to version 5.9.18.