CVE-2026-25498
published 2026-02-09CVE-2026-25498: Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE)…
PriorityP351high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.97%
57.4th percentile
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | >= 4.0.0-RC1 < 4.16.18 | 4.16.18 |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.22 | 5.8.22 |
| craftcms | craft_cms | < 4.16.18 | 4.16.18 |
| craftcms | craft_cms | < 5.8.22 | 5.8.22 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
osv·2026-02-09
CVE-2026-25498 [HIGH] Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
## Relationship to Previously Patched Vulnerability
This vulnerability is **in addition to** the RCE vulnerability patched in [GHSA-255j-qw47-wjh5](https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5). That advisory addressed a similar RCE vulnerability that affected two specific routes:
- `/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings`
- `/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview`
This one addresses some additional endpoints that were not covered in the https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5.
The patched vulnerability used a malicious `AttributeTypecastBehavior` with a wildcard event listen
GHSA
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
ghsa·2026-02-09
CVE-2026-25498 [HIGH] CWE-470 Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
## Relationship to Previously Patched Vulnerability
This vulnerability is **in addition to** the RCE vulnerability patched in [GHSA-255j-qw47-wjh5](https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5). That advisory addressed a similar RCE vulnerability that affected two specific routes:
- `/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings`
- `/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview`
This one addresses some additional endpoints that were not covered in the https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5.
The patched vulnerability used a malicious `AttributeTypecastBehavior` with a wildcard event listen
No detection rules found.
No public exploits indexed.
2026-02-09
Published