CVE-2026-33157

HighPublic PoC

Published: 24 March 2026

Published

24 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0010 26.4th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33157 is a high-severity Unsafe Reflection (CWE-470) vulnerability in Craftcms Craft Cms. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by applying the vendor patch in Craft CMS version 5.9.13 that sanitizes the fieldLayouts parameter.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of all inputs, preventing the Yii2 behavior/event injection attack by sanitizing the unsanitized fieldLayouts parameter in ElementIndexesController::actionFilterHud().

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege, reducing the attack surface by limiting control panel access to only necessary authenticated users required for this high-privilege (PR:H) RCE exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

RCE in public-facing Craft CMS web app directly maps to T1190 for initial exploitation; arbitrary server-side code execution enables web shell deployment (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a…

bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.

Deeper analysisAI

CVE-2026-33157 is a Remote Code Execution (RCE) vulnerability in Craft CMS, a content management system, affecting versions from 5.6.0 to before 5.9.13. The issue stems from a bypass of prior mitigations against Yii2 behavior and event injection attacks using "as" and "on" prefixed keys. Specifically, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without sanitization via cleanseConfig(), unlike fixes applied to assembleLayoutFromPost() and FieldsController actions. It is classified under CWE-470 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Any authenticated user with control panel access can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation enables arbitrary code execution on the server, potentially leading to full compromise with high impacts on confidentiality, integrity, and availability.

Craft CMS has patched the vulnerability in version 5.9.13. Security practitioners should upgrade immediately. Key references include the fixing commit at https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e, release notes at https://github.com/craftcms/cms/releases/tag/5.9.13, and the GitHub security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh.

Details

CWE(s): CWE-470

Affected Products

craftcms

craft cms

5.6.0 — 5.9.13

CVEs Like This One

CVE-2026-25498Same product: Craftcms Craft Cms

CVE-2025-68455Same product: Craftcms Craft Cms

CVE-2026-32264Same product: Craftcms Craft Cms

CVE-2026-32263Same product: Craftcms Craft Cms

CVE-2026-28697Same product: Craftcms Craft Cms

CVE-2025-23209Same product: Craftcms Craft Cms

CVE-2026-25495Same product: Craftcms Craft Cms

CVE-2026-28695Same product: Craftcms Craft Cms

CVE-2025-68456Same product: Craftcms Craft Cms

CVE-2026-28783Same product: Craftcms Craft Cms

References

https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e
Patch · security-advisories@github.com
https://github.com/craftcms/cms/releases/tag/5.9.13
Release Notes · security-advisories@github.com
https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh
Exploit, Vendor Advisory · security-advisories@github.com