Cyber Resilience

CVE-2026-25498

HighPublic PoC

Published: 09 February 2026

Published
09 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0097 57.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25498 is a high-severity Unsafe Reflection (CWE-470) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25498 is a remote code execution (RCE) vulnerability in Craft CMS, a platform for creating digital experiences. It affects versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. The issue resides in the assembleLayoutFromPost() function within src/services/Fields.php, which fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows injection of malicious Yii2 behavior configurations. The vulnerability is scored at CVSS 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-470 (Uncontrolled Resource Consumption). It represents an unpatched variant of the behavior injection issue fixed in CVE-2025-68455, but impacts different endpoints via a separate code path.

Authenticated administrators can exploit this vulnerability over the network with low complexity and no user interaction. By supplying crafted configuration data, they can inject arbitrary Yii2 behaviors that execute system commands on the server, potentially leading to full compromise including high confidentiality, integrity, and availability impacts.

Mitigation is available in Craft CMS version 5.8.22, which addresses the sanitization flaw. Security practitioners should upgrade affected installations immediately. Relevant resources include the fixing commit at https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748, the release notes at https://github.com/craftcms/cms/releases/tag/5.8.22, and the advisory at https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before…

more

passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes an RCE vulnerability in the public-facing Craft CMS web application that is directly exploitable over the network by authenticated admins via unsafe input handling in a core function, mapping to the technique for exploiting public-facing applications to achieve code execution and full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68455Same product: Craftcms Craft Cms
CVE-2026-33157Same product: Craftcms Craft Cms
CVE-2026-32264Same product: Craftcms Craft Cms
CVE-2026-32263Same product: Craftcms Craft Cms
CVE-2026-25495Same product: Craftcms Craft Cms
CVE-2025-23209Same product: Craftcms Craft Cms
CVE-2026-28784Same product: Craftcms Craft Cms
CVE-2026-31857Same product: Craftcms Craft Cms
CVE-2026-32267Same product: Craftcms Craft Cms
CVE-2025-68456Same product: Craftcms Craft Cms

Affected Assets

craftcms
craft cms
4.0.0, 5.0.0 · 4.0.0 — 4.16.18 · 5.0.0 — 5.8.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all user-supplied configuration data before it is passed to Craft::createObject(), blocking the malicious Yii2 behavior injection.

prevent

Mandates prompt application of the vendor patch (5.8.22) that adds the missing sanitization in assembleLayoutFromPost().

prevent

Limits the number of users granted the administrator role that can reach the vulnerable Fields.php code path, reducing the attack surface for authenticated RCE.

References