CVE-2026-25498— Craft CMS 安全漏洞

Craft has a potential authenticated Remote Code Execution via malicious attached Behavior

Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.

N/A

使用外部可控制的输入来选择类或代码(不安全的反射)

Craft CMS 安全漏洞

Craft CMS是Craft CMS开源的一套内容管理系统（CMS）。 Craft CMS 4.0.0-RC1版本至4.16.17版本和5.0.0-RC1版本至5.8.21版本存在安全漏洞，该漏洞源于assembleLayoutFromPost函数未清理用户配置数据，可能导致远程代码执行。

N/A

N/A