8.6
CVE-2026-44011
- EPSS 0.35%
- Veröffentlicht 12.05.2026 20:25:08
- Zuletzt bearbeitet 13.05.2026 16:16:53
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellercraftcms
≫
Produkt
cms
Version
>= 4.0.0, < 4.17.12
Status
affected
Version
>= 5.0.0, < 5.9.18
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.35% | 0.262 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.6 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-479 Signal Handler Use of a Non-reentrant Function
The product defines a signal handler that calls a non-reentrant function.
https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw
https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3