CVE-2026-33157 — Unsafe Reflection in Craft CMS

CWE-470 — Unsafe Reflection5 documents5 sources

Severity

8.6HIGHNVD

EPSS

0.1%

top 82.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedMar 24

Description

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexe…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Packagistcraftcms/cms5.6.0 — 5.9.13

▶NVDcraftcms/craft_cms5.6.0 — 5.9.13

▶CVEListV5craftcms/cms>= 5.6.0, < 5.9.13

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior↗2026-03-24

▶

GHSA

Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior↗2026-03-24

▶

CVEList

Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior↗2026-03-24

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33157 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶