CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2025-68455

Craft CMS Authenticated RCE via Yii2 Behavior Injection

Alon Barad
Alon Barad
Software Engineer

Feb 28, 2026·5 min read·14 visits

Executive Summary (TL;DR)

Authenticated administrators can execute arbitrary code on the server by sending crafted JSON payloads to the Craft CMS control panel. The vulnerability exploits the Yii2 component configuration mechanism to attach malicious behaviors before the system validates the input.

A critical post-authentication Remote Code Execution (RCE) vulnerability exists in Craft CMS versions 4.x and 5.x due to improper sanitization of configuration arrays passed to the underlying Yii2 framework. By injecting malicious 'behavior' configurations into the `FieldsController`, an attacker with administrative privileges can instantiate arbitrary classes and execute code on the underlying server. This flaw stems from a regression in how user input is merged after sanitization routines have already run.

Architectural Context: Yii2 Components and Behaviors

Craft CMS is built on top of the Yii2 PHP framework, which utilizes a powerful component-based architecture. A core feature of Yii2 is its dependency injection container and configuration system, where objects extending yii\base\Component can be initialized using configuration arrays. These arrays support 'magic' keys that dictate how the object is constructed.

Two specific keys are critical to this vulnerability: as <behaviorName> and on <eventName>. The as key allows developers to dynamically attach 'Behaviors'—classes that inject methods and properties into the component. The on key binds event handlers to the component. While powerful for developers, these features present a significant attack surface if user-controlled input allows the injection of these keys. An attacker can use them to attach arbitrary classes or trigger execution flows that were not intended by the application logic.

To mitigate this, Craft CMS implements a cleanseConfig() method designed to strip these dangerous keys from user input. However, the effectiveness of this sanitization depends entirely on when it is applied in the request lifecycle relative to data merging.

Root Cause Analysis

The vulnerability lies in the src/controllers/FieldsController.php file, specifically within the actionSaveFieldLayout method (and similar endpoints handling layout settings). The application processes configuration data sent via POST requests to update field layouts. The root cause is a logic error in the order of operations regarding input sanitization.

The application correctly identified the need to sanitize the primary configuration array using Component::cleanseConfig(), which removes keys starting with as or on . However, after this sanitization step, the code retrieved an additional settings parameter from the request, decoded it from JSON, and merged it into the already-cleansed configuration array.

Because the merge occurred post-sanitization, the settings array could reintroduce the forbidden as and on keys. When the resulting array was subsequently used to instantiate or configure a component, Yii2 processed these keys, initializing the attacker-defined behaviors. This creates a classic 'Time-of-Check to Time-of-Use' (TOCTOU) style flaw where the data is validated (cleansed) and then modified (merged) before use.

Code Analysis: The Logic Flaw

The following code comparison illustrates the vulnerability in src/controllers/FieldsController.php. In the vulnerable version, the cleanseConfig call happens before the user-supplied $settings are merged into the config.

Vulnerable Code (Simplified):

// 1. Primary config is sanitized
$config = Component::cleanseConfig($config);
 
// 2. User-supplied 'settings' are retrieved
$settings = $this->request->getBodyParam('settings');
 
// 3. Settings are merged into the CLEAN config (VULNERABILITY)
// Malicious 'as' or 'on' keys in $settings bypass step 1
if ($settings) {
    $config = array_merge($config, $settings);
}
 
// 4. Component is created with tainted config
$field = Craft::createObject($config);

Patched Code:

The fix involves ensuring that cleanseConfig is the final step before object creation. The patch moves the sanitization call to after all merging operations are complete.

$settings = $this->request->getBodyParam('settings');
 
if ($settings) {
    $config = array_merge($config, $settings);
}
 
// FIX: Sanitize AFTER merging all user input
$config = Component::cleanseConfig($config);
 
$field = Craft::createObject($config);

By moving the sanitization call to the end of the preparation block, the developers ensure that no matter what data is merged from the request parameters, the dangerous as and on keys are stripped before the Yii2 factory processes the array.

Exploitation Methodology

To exploit this vulnerability, an attacker requires authentication to the Craft CMS Control Panel with permissions to access field layout settings. The attack leverages a specific gadget class available in the Yii2 framework: yii\behaviors\AttributeTypecastBehavior.

The attacker constructs a JSON payload targeting the settings parameter. The payload does two things: it attaches the AttributeTypecastBehavior and configures it to execute a system command. The AttributeTypecastBehavior class has a property typecastBeforeSave which accepts a callable. By binding the behavior's execution to a wildcard event (*), the attacker forces the callable to execute immediately upon component activity.

Payload Structure:

  1. as rce: Attaches yii\behaviors\AttributeTypecastBehavior.
  2. attributeTypes: Maps a dummy attribute to the PHP function exec (or similar).
  3. typecastBeforeSave: Provides the arguments for the command (e.g., touch /tmp/pwned).
  4. on *: Triggers the beforeSave event handler of the behavior on any event.

When the server processes the apply-layout-element-settings action, it instantiates the component. The Yii2 framework sees the as key, attaches the behavior, and due to the on key, triggers the behavior's methods, resulting in the execution of the PHP callable defined in the payload.

Impact and Risk Assessment

The successful exploitation of CVE-2025-68455 results in Remote Code Execution (RCE) in the context of the web server user (typically www-data). Although authentication is required, the risk remains high for several reasons.

First, in many organizations, 'Administrator' access to a CMS is not equivalent to full server root access. This vulnerability bridges that gap, allowing a CMS admin to pivot to the underlying operating system, potentially accessing other applications, database credentials, or environment variables stored on the server.

Second, this vulnerability allows for the installation of persistent backdoors. An attacker could modify the CMS source code or drop web shells that persist even if the CMS credentials are later changed. The vulnerability has a CVSS v3.1 score of 7.2 (High) and a CVSS v4.0 score of 8.6, reflecting the severity of the impact despite the privilege requirement.

Official Patches

Craft CMSRelease notes for Craft CMS 5.8.21 fixing the vulnerability

Fix Analysis (1)

Technical Appendix

CVSS Score
7.2/ 10
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
1.13%
Top 99% most exploited

Affected Systems

Craft CMS 5.0.0-RC1 through 5.8.20Craft CMS 4.0.0-RC1 through 4.16.16

Affected Versions Detail

Product
Affected Versions
Fixed Version
Craft CMS
Craft CMS
>= 5.0.0-RC1, < 5.8.215.8.21
Craft CMS
Craft CMS
>= 4.0.0-RC1, < 4.16.174.16.17
AttributeDetail
CWE IDCWE-470
Vulnerability TypeUnsafe Reflection / Object Injection
CVSS v3.17.2 (High)
Attack VectorNetwork (Authenticated)
ImpactRemote Code Execution
Fix ComplexityLow (Update required)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.003Command and Scripting Interpreter: Windows Command Shell
Execution
T1059.004Command and Scripting Interpreter: Unix Shell
Execution
CWE-470
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

The application uses external input to select which class to instantiate or code to execute, but does not sufficiently restrict the input.

Known Exploits & Detection

SentinelOne / ResearchProof of Concept utilizing yii\behaviors\AttributeTypecastBehavior for RCE

Vulnerability Timeline

Vendor releases patch in version 5.8.21
2024-12-04
CVE-2025-68455 published in NVD
2026-01-05
Variant CVE-2026-25498 discovered in incomplete fix
2026-02-01

References & Sources

  • [1]GitHub Security Advisory: RCE in Craft CMS
  • [2]NVD Entry for CVE-2025-68455
Related Vulnerabilities
CVE-2024-4990CVE-2026-25498

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•1 day ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
11 views•6 min read
•1 day ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
20 views•8 min read
•2 days ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
7 views•5 min read
•2 days ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
9 views•6 min read
•6 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
23 views•6 min read
•6 days ago•CVE-2026-55700
7.1

CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.

Alon Barad
Alon Barad
16 views•4 min read