Craft CMS – Remote Code Execution via Missing Config Sanitization...

8.6 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.

Basic Information

ID CVE-2026-56382

Source VulnCheck

Published Jun 21, 2026 at 13:26

Affected Product

Vendor craftcms

Product cms

Version 5.5.0

Affected Versions craftcms cms 5.5.0

CWE Classification

CWE-94

References

{
    "lastseen": "",
    "description": "Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.",
    "published": "2026-06-21T13:26:58.994Z",
    "modified": "2026-06-21T13:26:58.994Z",
    "type": "cve",
    "title": "Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController",
    "source": "VulnCheck",
    "references": "https://github.com/craftcms/cms/security/advisories/GHSA-86vw-x4ww-x467\nhttps://www.vulncheck.com/advisories/craft-cms-remote-code-execution-via-missing-config-sanitization-in-fieldscontroller",
    "id": "CVE-2026-56382",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "craftcms cms 5.5.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": "5.5.0",
    "vendor": "craftcms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Craft CMS – Remote Code Execution via Missing Config Sanitization in FieldsController_CVE-2026-56382