{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/craft-cms--5.5.0--5.9.13/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Craft CMS (\u003e= 5.5.0, \u003c= 5.9.13)"],"_cs_severities":["high"],"_cs_tags":["rce","web-application","cms","craft-cms","php"],"_cs_type":"advisory","_cs_vendors":["Craft CMS"],"content_html":"\u003cp\u003eA critical vulnerability (GHSA-86vw-x4ww-x467) has been identified in Craft CMS, affecting versions 5.5.0 through 5.9.13, that allows authenticated administrators to achieve Remote Code Execution (RCE). The \u003ccode\u003eactionRenderCardPreview()\u003c/code\u003e method within the \u003ccode\u003eFieldsController\u003c/code\u003e component incorrectly passes the \u003ccode\u003efieldLayoutConfig\u003c/code\u003e POST parameter directly to \u003ccode\u003eFields::createLayout()\u003c/code\u003e without invoking \u003ccode\u003eComponent::cleanseConfig()\u003c/code\u003e. This oversight permits attackers to inject malicious Yii2 event handlers through \u003ccode\u003eon eventName\u003c/code\u003e keys in the configuration array, leading to arbitrary PHP function execution. The impact extends to information disclosure, potentially exposing sensitive data like database credentials and \u003ccode\u003eCRAFT_SECURITY_KEY\u003c/code\u003e via \u003ccode\u003ephpinfo()\u003c/code\u003e output, posing a significant risk of full system compromise for affected installations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains or compromises legitimate administrative credentials for a Craft CMS instance.\u003c/li\u003e\n\u003cli\u003eThe authenticated attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/admin/actions/fields/render-card-preview\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003efieldLayoutConfig\u003c/code\u003e POST parameter containing a specially formed \u003ccode\u003eon+init\u003c/code\u003e key, such as \u003ccode\u003efieldLayoutConfig[on+init]=phpinfo\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eactionRenderCardPreview()\u003c/code\u003e method processes this parameter without proper sanitization.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003eFieldLayout\u003c/code\u003e object is constructed, Yii2 interprets the \u003ccode\u003eon init\u003c/code\u003e key as an event handler registration.\u003c/li\u003e\n\u003cli\u003eDuring the \u003ccode\u003eComponent::init()\u003c/code\u003e execution, the registered \u003ccode\u003einit\u003c/code\u003e event is triggered, leading to the execution of the attacker-supplied PHP function (e.g., \u003ccode\u003ephpinfo()\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server responds with the output of the executed PHP function, potentially disclosing sensitive environment variables, system information, and configuration secrets, or executing arbitrary commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an authenticated administrator to achieve full Remote Code Execution (RCE) on the Craft CMS server. This can lead to complete compromise of the web server and its underlying data, including the exfiltration of sensitive information such as database credentials and the \u003ccode\u003eCRAFT_SECURITY_KEY\u003c/code\u003e. The ability to execute arbitrary PHP functions allows for a wide range of malicious activities, from defacement and data manipulation to establishing persistent backdoors and escalating privileges within the hosting environment. While requiring existing admin access, the severity of the code execution and information disclosure capabilities represents a critical risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update Craft CMS installations to a patched version beyond 5.9.13 to remediate GHSA-86vw-x4ww-x467.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect exploitation attempts against \u003ccode\u003e/admin/actions/fields/render-card-preview\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to \u003ccode\u003e/admin/actions/fields/render-card-preview\u003c/code\u003e containing unusual or suspicious query parameters.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication mechanisms, such as multi-factor authentication (MFA), for all Craft CMS administrator accounts to prevent credential compromise.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003ereferences\u003c/code\u003e URL for the official advisory and patching instructions from Craft CMS.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T13:46:12Z","date_published":"2026-07-09T13:46:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-craftcms-rce-ghsa/","summary":"An authenticated administrator in Craft CMS (versions 5.5.0 to 5.9.13) is vulnerable to Remote Code Execution (RCE) via a missing input sanitization vulnerability in the `actionRenderCardPreview()` method of `FieldsController`, allowing Yii2 event handler injection through specially crafted `fieldLayoutConfig` POST parameters, which enables arbitrary PHP code execution and sensitive information disclosure.","title":"Craft CMS RCE via Missing cleanseConfig in FieldsController","url":"https://feed.craftedsignal.io/briefs/2026-07-craftcms-rce-ghsa/"}],"language":"en","title":"CraftedSignal Threat Feed - Craft CMS (\u003e= 5.5.0, \u003c= 5.9.13)","version":"https://jsonfeed.org/version/1.1"}