CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-86VW-X4WW-X467

CVE-2026-56382: Remote Code Execution in Craft CMS via Yii2 Event Handler Injection

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 9, 2026·6 min read·4 visits

Executive Summary (TL;DR)

An authenticated administrator can execute arbitrary code remotely in Craft CMS by injecting malicious event handlers in the fieldLayoutConfig parameter targeting the render-card-preview action.

CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.

Vulnerability Overview

The vulnerability tracked as CVE-2026-56382 (GHSA-86vw-x4ww-x467) is a code injection flaw in the Craft CMS control panel, specifically located within the FieldsController::actionRenderCardPreview() method of the craftcms/cms package. This controller method handles the dynamic generation of field layout previews for administrative users.\n\nBecause the application handles administrative configurations dynamically using user-influenced parameters, it is critical that all incoming configurations are properly scrubbed before being instantiated. The affected endpoint allows an authenticated attacker with administrative privileges to execute arbitrary PHP code remotely by exploiting dynamic component instantiation characteristics of the underlying Yii2 framework.\n\nThis security advisory impacts installations running versions from 5.5.0 up to 5.9.13. Organizations utilizing these versions must analyze their exposure and upgrade to the patched release to mitigate the risk of arbitrary command execution on the host system.

Root Cause Analysis

The root cause of this vulnerability lies in the dynamic configuration and object-instantiation mechanisms of the Yii2 framework, which serves as the core framework for Craft CMS. When Yii2 instantiates or configures an object using a configuration array, it parses the keys to determine properties, behaviors, and event handlers. Specifically, any key prefixed with 'on ' is interpreted as an event handler registration, allowing callbacks to be mapped to framework lifecycle events.\n\nFor instance, if an attacker injects a key-value pair such as 'on init' => 'phpinfo', the Yii2 configuration parser binds the global PHP function 'phpinfo()' as a handler for the object's init event. When the framework triggers the lifecycle event via $this->trigger(self::EVENT_INIT), the registered callback is executed immediately, resulting in code injection.\n\nCraft CMS developers historically created a mitigation helper, Component::cleanseConfig(), to sanitize input arrays by stripping keys starting with 'on ' or 'as ' prefixes. However, the newly introduced actionRenderCardPreview() endpoint in the FieldsController failed to apply this sanitization routine to the fieldLayoutConfig POST parameter prior to passing it to the layout builder, creating a direct vector for event handler injection.

Code Analysis

To understand the exact mechanics of the vulnerability, we examine the differences between the vulnerable code path and the patched implementation in version 5.9.14.\n\nPrior to the patch, the actionRenderCardPreview method in vendor/craftcms/cms/src/controllers/FieldsController.php retrieved the raw configuration array directly from the request body. It then forwarded the untrusted array straight to Fields::createLayout() without sanitization.\n\nphp\n// Vulnerable Code Path\npublic function actionRenderCardPreview()\n{\n // Retrieves unvalidated POST configuration array from input\n $config = Craft::$app->getRequest()->getBodyParam('fieldLayoutConfig');\n \n // Fails to sanitize the input; configuration is processed directly\n $fieldLayout = Craft::$app->getFields()->createLayout($config);\n \n // ... renders card preview using the unsafe layout configuration\n}\n\n\nThe remediation applied in version 5.9.14 introduces a call to Component::cleanseConfig() to scrub the configuration array before it is passed to the layout builder. This filters out all potentially malicious behavior and event bindings.\n\nphp\n// Patched Code Path in 5.9.14\npublic function actionRenderCardPreview()\n{\n // Retrieves the POST configuration array\n $config = Craft::$app->getRequest()->getBodyParam('fieldLayoutConfig');\n \n // Sanitize the config array to strip out 'on ' and 'as ' prefixes\n $config = \\craft\\base\\Component::cleanseConfig($config);\n \n // Safely create the layout with the cleansed configuration\n $fieldLayout = Craft::$app->getFields()->createLayout($config);\n \n // ... renders card preview safely\n}\n\n\nThis defensive design choice is complete and robust against variant attacks targeting the same component. The helper recursively strips keys that would otherwise register arbitrary behaviors ('as ' prefix) or trigger lifecycle callbacks ('on ' prefix) during instantiation.

Exploitation

Exploitation of CVE-2026-56382 requires an attacker to possess administrative privileges and an active session, as the affected controller action is restricted to the control panel context. Additionally, a valid Cross-Site Request Forgery (CSRF) token must be obtained to bypass the application's CSRF protection.\n\nThe attack is executed by making a crafted POST request to the /admin/actions/fields/render-card-preview endpoint. The attacker sets the fieldLayoutConfig parameter to an array containing a malicious event handler. For proof-of-concept testing, the 'on init' event is registered with a benign diagnostic function like phpinfo.\n\nhttp\nPOST /admin/actions/fields/render-card-preview HTTP/1.1\nHost: target-craftcms.local\nContent-Type: application/x-www-form-urlencoded\nCookie: CraftSessionId=93e96be952dddc485a80b5ade8af1f45dec1b0b\nConnection: close\n\nfieldLayoutConfig[on+init]=phpinfo&CRAFT_CSRF_TOKEN=u5R6qD7y-K4pW06_918b06b09b7v_F9340c5c\n\n\nUpon receiving this payload, the routing engine routes the request to the vulnerable action. The application extracts the un-cleansed array and passes it to the layout creator. When Yii2's instantiation engine configures the layout object, the 'on init' configuration is processed, binding phpinfo() as a listener. When the framework triggers the init event, the function executes, outputting the configuration environment details directly in the response body.\n\nTo pivot this into a shell or execute arbitrary commands, the attacker can leverage standard PHP execution primitives such as system, passthru, or custom class methods that are reachable in the auto-loaded namespace, achieving remote code execution.

Impact Assessment

The security impact of CVE-2026-56382 is high, as it allows arbitrary code execution on the underlying server. Although the vulnerability requires administrative authentication, the compromise of an administrator account can immediately be upgraded to full operating system takeover.\n\nAn attacker who successfully exploits this vulnerability can execute arbitrary PHP code with the privileges of the web server process (e.g., www-data or apache). This allows the attacker to read, modify, or delete sensitive data in the database, extract database connection credentials from environmental files (.env), read private configuration files, and establish persistent backdoors on the system.\n\nThe CVSS v4.0 base score is rated at 8.6, reflecting the high impact on confidentiality, integrity, and availability. Although the attack requirements and complexity are low, the requirement for high privileges mitigates the immediate risk of automated worm-like exploitation, resulting in a low EPSS score of 0.493% as of July 2026.\n\nmermaid\ngraph LR\n Attacker["Attacker (Admin Auth)"] -->|Crafted POST with on init| FieldsController["FieldsController::actionRenderCardPreview"]\n FieldsController -->|Unsanitized config| Yii2["Yii2 Instantiation Engine"]\n Yii2 -->|Executes Callback| PHPExecution["PHP Runtime (Arbitrary Code Execution)"]\n

Detection and Remediation

To remediate CVE-2026-56382, administrators must upgrade their Craft CMS installations to version 5.9.14 or later. This can be accomplished by updating the Composer project dependencies.\n\nbash\ncomposer update craftcms/cms:5.9.14\n\n\nIf upgrading immediately is not possible, access to the administration interface should be restricted using IP whitelisting or network-level access controls. This reduces the attack surface by preventing unauthorized or external access to the control panel actions.\n\nTo detect potential exploitation attempts, security teams should inspect web server logs for requests directed to /admin/actions/fields/render-card-preview containing URL-encoded variables matching patterns of 'on ' or 'as '. Specifically, check for HTTP POST parameters resembling fieldLayoutConfig[on ] or fieldLayoutConfig%5Bon. Intrusion detection rules can also be developed to identify and alert on these signatures.

Technical Appendix

CVSS Score
8.6/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Probability
0.49%
Top 61% most exploited

Affected Systems

Craft CMS deployments running version 5.5.0 through 5.9.13

Affected Versions Detail

Product
Affected Versions
Fixed Version
Craft CMS
Craft CMS
>= 5.5.0, <= 5.9.135.9.14
AttributeDetail
CWE IDCWE-94
Attack VectorNetwork
CVSS v4.0 Score8.6
EPSS Score0.00493 (Percentile: 38.82%)
ImpactRemote Code Execution (RCE)
Exploit StatusProof-of-Concept
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter
Execution
T1203Exploitation for Client Execution
Execution
CWE-94
Improper Control of Generation of Code

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not sanitize or incorrectly sanitizes the input before it is executed.

Vulnerability Timeline

CVE-2026-56382 is assigned and published
2026-06-21
Craft CMS releases security patch in version 5.9.14
2026-06-21
GitHub Security Advisory GHSA-86vw-x4ww-x467 is published
2026-07-09

References & Sources

  • [1]GitHub Security Advisory GHSA-86vw-x4ww-x467
  • [2]CVE-2026-56382 Record
  • [3]Craft CMS Repository

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•1 minute ago•GHSA-387M-935M-C4VW
7.5

GHSA-387m-935m-c4vw: Unbounded HTTP Redirections Enable Infinite Loop Denial of Service in Micronaut HTTP Client

The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.

Amit Schendel
Amit Schendel
0 views•6 min read
•32 minutes ago•GHSA-Q6GH-6V2R-HJV3
8.8

GHSA-Q6GH-6V2R-HJV3: Cross-Origin Credential Leakage in Micronaut HTTP Client

An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.

Amit Schendel
Amit Schendel
1 views•6 min read
•about 1 hour ago•GHSA-52VM-MXX8-F227
7.7

GHSA-52vm-mxx8-f227: Arbitrary File Write and Decompression Denial of Service in phantom-audio

GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.

Amit Schendel
Amit Schendel
2 views•5 min read
•about 2 hours ago•GHSA-C43V-4CR8-6MVP
6.5

GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper

An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.

Alon Barad
Alon Barad
3 views•8 min read
•about 3 hours ago•GHSA-382C-VX95-W3P5
6.5

GHSA-382C-VX95-W3P5: Missing Access Control on Profile Endpoint and MCP Tool in Gittensory

An insecure direct object reference (IDOR) and missing authorization validation check in the Gittensory REST API and Model Context Protocol (MCP) server allowed authenticated users to query arbitrary miner profiles, exposing sensitive cryptographic hotkeys and daily financial/economic yields.

Alon Barad
Alon Barad
3 views•6 min read
•about 19 hours ago•CVE-2026-53634
4.3

CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.

Alon Barad
Alon Barad
6 views•5 min read