<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Craft CMS (&gt;= 5.5.0, &lt;= 5.9.13) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/craft-cms--5.5.0--5.9.13/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 13:46:12 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/craft-cms--5.5.0--5.9.13/feed.xml" rel="self" type="application/rss+xml"/><item><title>Craft CMS RCE via Missing cleanseConfig in FieldsController</title><link>https://feed.craftedsignal.io/briefs/2026-07-craftcms-rce-ghsa/</link><pubDate>Thu, 09 Jul 2026 13:46:12 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-craftcms-rce-ghsa/</guid><description>An authenticated administrator in Craft CMS (versions 5.5.0 to 5.9.13) is vulnerable to Remote Code Execution (RCE) via a missing input sanitization vulnerability in the `actionRenderCardPreview()` method of `FieldsController`, allowing Yii2 event handler injection through specially crafted `fieldLayoutConfig` POST parameters, which enables arbitrary PHP code execution and sensitive information disclosure.</description><content:encoded><![CDATA[<p>A critical vulnerability (GHSA-86vw-x4ww-x467) has been identified in Craft CMS, affecting versions 5.5.0 through 5.9.13, that allows authenticated administrators to achieve Remote Code Execution (RCE). The <code>actionRenderCardPreview()</code> method within the <code>FieldsController</code> component incorrectly passes the <code>fieldLayoutConfig</code> POST parameter directly to <code>Fields::createLayout()</code> without invoking <code>Component::cleanseConfig()</code>. This oversight permits attackers to inject malicious Yii2 event handlers through <code>on eventName</code> keys in the configuration array, leading to arbitrary PHP function execution. The impact extends to information disclosure, potentially exposing sensitive data like database credentials and <code>CRAFT_SECURITY_KEY</code> via <code>phpinfo()</code> output, posing a significant risk of full system compromise for affected installations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains or compromises legitimate administrative credentials for a Craft CMS instance.</li>
<li>The authenticated attacker crafts a malicious HTTP POST request targeting the <code>/admin/actions/fields/render-card-preview</code> endpoint.</li>
<li>The request includes a <code>fieldLayoutConfig</code> POST parameter containing a specially formed <code>on+init</code> key, such as <code>fieldLayoutConfig[on+init]=phpinfo</code>.</li>
<li>The vulnerable <code>actionRenderCardPreview()</code> method processes this parameter without proper sanitization.</li>
<li>When the <code>FieldLayout</code> object is constructed, Yii2 interprets the <code>on init</code> key as an event handler registration.</li>
<li>During the <code>Component::init()</code> execution, the registered <code>init</code> event is triggered, leading to the execution of the attacker-supplied PHP function (e.g., <code>phpinfo()</code>).</li>
<li>The server responds with the output of the executed PHP function, potentially disclosing sensitive environment variables, system information, and configuration secrets, or executing arbitrary commands.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an authenticated administrator to achieve full Remote Code Execution (RCE) on the Craft CMS server. This can lead to complete compromise of the web server and its underlying data, including the exfiltration of sensitive information such as database credentials and the <code>CRAFT_SECURITY_KEY</code>. The ability to execute arbitrary PHP functions allows for a wide range of malicious activities, from defacement and data manipulation to establishing persistent backdoors and escalating privileges within the hosting environment. While requiring existing admin access, the severity of the code execution and information disclosure capabilities represents a critical risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update Craft CMS installations to a patched version beyond 5.9.13 to remediate GHSA-86vw-x4ww-x467.</li>
<li>Deploy the Sigma rules in this brief to your SIEM to detect exploitation attempts against <code>/admin/actions/fields/render-card-preview</code>.</li>
<li>Monitor web server access logs for requests to <code>/admin/actions/fields/render-card-preview</code> containing unusual or suspicious query parameters.</li>
<li>Implement strong authentication mechanisms, such as multi-factor authentication (MFA), for all Craft CMS administrator accounts to prevent credential compromise.</li>
<li>Review the <code>references</code> URL for the official advisory and patching instructions from Craft CMS.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>rce</category><category>web-application</category><category>cms</category><category>craft-cms</category><category>php</category></item></channel></rss>