Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.
Metrics
Affected Vendors & Products
References
History
Wed, 24 Jun 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Craftcms
Craftcms craftcms |
|
| Vendors & Products |
Craftcms
Craftcms craftcms |
Mon, 22 Jun 2026 11:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Sun, 21 Jun 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14. | |
| Title | Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController | |
| First Time appeared |
Juzaweb
Juzaweb cms |
|
| Weaknesses | CWE-94 | |
| CPEs | cpe:2.3:a:juzaweb:cms:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Juzaweb
Juzaweb cms |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-06-21T13:26:58.994Z
Updated: 2026-06-22T10:30:06.022Z
Reserved: 2026-06-21T02:05:47.495Z
Link: CVE-2026-56382
Updated: 2026-06-22T10:29:43.441Z
No data.
No data.