CVE-2026-25498

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.16.17 Craft CMS versions 5.0.0-RC1 through 5.8.21

Description A Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php does not properly sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations, potentially executing arbitrary system commands on the server. This is an unpatched variant of a behavior injection issue previously addressed in a different set of endpoints. The vulnerability is located in the assembleLayoutFromPost() function, specifically lines 1125-1143 of the src/services/Fields.php file, due to a missing call to cleanseConfig() on the fieldLayout POST parameter. The attack involves injecting a behavior using the 'as rce' key in the fieldLayout JSON POST parameter, which then triggers command execution when the model is validated. The vulnerability affects multiple admin controllers, including TagsController, CategoriesController, EntryTypesController, GlobalsController, VolumesController, UsersController, and AddressesController.

Recommendations Craft CMS versions 4.0.0-RC1 through 4.16.17 should be updated to version 5.8.22 or later. Craft CMS versions 5.0.0-RC1 through 5.8.21 should be updated to version 5.8.22 or later.