CVE-2026-25498

Exploit

EPSS 0.18%
Veröffentlicht 09.02.2026 19:55:06
Zuletzt bearbeitet 19.02.2026 19:20:46
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Craftcms ≫ Craft Cms Version > 4.0.0 < 4.16.18

Craftcms ≫ Craft Cms Version > 5.0.0 < 5.8.22

Craftcms ≫ Craft Cms Version4.0.0 Update-

Craftcms ≫ Craft Cms Version4.0.0 Updaterc1

Craftcms ≫ Craft Cms Version4.0.0 Updaterc2

Craftcms ≫ Craft Cms Version4.0.0 Updaterc3

Craftcms ≫ Craft Cms Version5.0.0 Update-

Craftcms ≫ Craft Cms Version5.0.0 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.394

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.6	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

https://github.com/craftcms/cms/releases/tag/5.8.22

Release Notes

https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7

Patch

Vendor Advisory

Exploit

https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-25498

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25498

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25498

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25498