Executive Summary

CVE-2026-33157 is a high-severity Remote Code Execution (RCE) vulnerability in Craft CMS versions from 5.6.0 up to but not including 5.9.13. It can be exploited by any authenticated user with control panel access. The vulnerability arises because the fieldLayouts parameter in the ElementIndexesController::actionFilterHud() method is passed directly to FieldLayout::createFromConfig() without sanitization. This allows attackers to inject malicious Yii2 behavior/event keys, bypassing previous fixes that attempted to cleanse such inputs. The issue was fixed by adding a sanitization step to cleanse the field layout configuration data before processing, preventing the injection of malicious code.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user with control panel access to execute arbitrary code remotely on the server running Craft CMS. This can lead to full system compromise, unauthorized data access, data modification, or disruption of service. Because the exploit involves bypassing input sanitization, attackers can leverage this flaw to escalate privileges or perform malicious actions within the CMS environment.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is a Remote Code Execution (RCE) flaw in Craft CMS versions from 5.6.0 to before 5.9.13, exploitable by any authenticated user with control panel access. Detection involves verifying the version of Craft CMS in use and checking for the presence of unsanitized field layout configurations in the ElementIndexesController.'}, {'type': 'paragraph', 'content': 'To detect if your system is vulnerable, first identify the Craft CMS version running on your system. If it is between 5.6.0 and before 5.9.13, it is vulnerable.'}, {'type': 'list_item', 'content': 'Check the Craft CMS version by running a command or inspecting the CMS admin panel or version files.'}, {'type': 'list_item', 'content': 'Review logs for suspicious authenticated user activity involving the control panel, especially actions related to field layouts or the ElementIndexesController.'}, {'type': 'list_item', 'content': 'No specific commands are provided in the resources, but general commands to check version or logs might include:'}, {'type': 'list_item', 'content': " - `grep 'version' path/to/craftcms/version/file`"}, {'type': 'list_item', 'content': " - `tail -n 100 /path/to/craftcms/storage/logs/web.log | grep 'ElementIndexesController'`"}, {'type': 'paragraph', 'content': 'Since the vulnerability involves unsanitized input passed to FieldLayout::createFromConfig(), monitoring for unusual or unexpected field layout configurations or changes might also help detect exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Craft CMS to version 5.9.13 or later, where the vulnerability has been patched.

The fix involves sanitizing the field layout configuration data before processing it, preventing malicious input from enabling remote code execution.

• Upgrade Craft CMS to version 5.9.13 or newer.
• If immediate upgrade is not possible, restrict authenticated user access to the control panel to only trusted users.
• Monitor and audit control panel activities for suspicious behavior related to field layout configurations.

Applying the official patch or update is the recommended and most effective mitigation.

Useful 0 Not Useful 0