CVE-2026-56382

EPSS 0.49%
Veröffentlicht 21.06.2026 13:26:58
Zuletzt bearbeitet 22.06.2026 18:40:05
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController

Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellercraftcms

≫

Produkt cms

Default Statusunaffected

Version 5.5.0

Version < 5.9.14

Status affected

Version 5.9.14

Status unaffected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.49%	0.384

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	8.6	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
disclosure@vulncheck.com	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/craftcms/cms/security/advisories/GHSA-86vw-x4ww-x467

https://www.vulncheck.com/advisories/craft-cms-remote-code-execution-via-missing-config-sanitization-in-fieldscontroller

https://nvd.nist.gov/vuln/detail/CVE-2026-56382

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-56382

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-56382

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-56382