CVE-2026-44011— Craft CMS 安全漏洞

Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.

N/A

信号处理例程中使用不可再入的函数

Craft CMS 安全漏洞

Craft CMS是Craft CMS开源的一套内容管理系统（CMS）。 Craft CMS 4.0.0至4.17.12之前版本和5.9.18之前版本存在安全漏洞，该漏洞源于Yii对象创建路径中存在输入处理缺陷，可能导致任何经过身份验证的用户注入恶意配置并执行任意命令。

N/A

N/A