CVE-2026-25498Unsafe Reflection in Craft CMS

CWE-470Unsafe Reflection5 documents5 sources
Severity
8.6HIGHNVD
EPSS
0.3%
top 46.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedFeb 9

Description

Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

Packagistcraftcms/cms5.0.0-RC15.8.22+1
NVDcraftcms/craft_cms< 4.16.18+3
CVEListV5craftcms/cms>= 4.0.0-RC1, < 4.16.18, >= 5.0.0-RC1, < 5.8.22+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
Craft has a potential authenticated Remote Code Execution via malicious attached Behavior2026-02-09
OSV
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior2026-02-09
GHSA
Craft CMS Vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior2026-02-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-25498 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-25498 — Unsafe Reflection in Craft CMS | cvebase