{"vulnerability": "CVE-2026-56382", "sightings": [{"uuid": "094e0451-8c87-498c-8958-3e91663f39d9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-56382", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3motvg3g7qm2x", "content": "HIGH severity RCE (CVE-2026-56382) impacts Craft CMS 5.5.0 \u2013 5.9.13. Authenticated admins can inject code and access secrets. Upgrade to 5.9.14+ ASAP. https://radar.offseq.com/threat/cve-2026-56382-improper-control-of-generation-of-c-a60c46eab20e347b #OffSeq #CraftCMS #Vulnerability", "creation_timestamp": "2026-06-22T03:00:26.928854Z"}, {"uuid": "9eaf2983-4987-4b35-84b1-a2a0c452da4f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-56382", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116791523679077429", "content": "CVE-2026-56382: HIGH severity RCE in Craft CMS (5.5.0 \u2013 5.9.13). Authenticated admins can inject code via FieldsController, leaking sensitive env vars. Patch now by upgrading to 5.9.14+. https://radar.offseq.com/threat/cve-2026-56382-improper-control-of-generation-of-c-a60c46eab20e347b #OffSeq #CraftCMS #RCE #Vuln", "creation_timestamp": "2026-06-22T03:00:28.721017Z"}, {"uuid": "dbc9a4ad-287f-40d1-a044-3cf1a09db8a5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-56382", "type": "seen", "source": "https://gist.github.com/alon710/305f4c5d688e5f2ef3648a51ae29f792", "content": "# GHSA-86VW-X4WW-X467: CVE-2026-56382: Remote Code Execution in Craft CMS via Yii2 Event Handler Injection\n\n&gt; **CVSS Score:** 8.6\n&gt; **Published:** 2026-07-09\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-86VW-X4WW-X467\n\n## Summary\nCVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.\n\n## TL;DR\nAn authenticated administrator can execute arbitrary code remotely in Craft CMS by injecting malicious event handlers in the fieldLayoutConfig parameter targeting the render-card-preview action.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-94\n- **Attack Vector**: Network\n- **CVSS v4.0 Score**: 8.6\n- **EPSS Score**: 0.00493 (Percentile: 38.82%)\n- **Impact**: Remote Code Execution (RCE)\n- **Exploit Status**: Proof-of-Concept\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Craft CMS deployments running version 5.5.0 through 5.9.13\n- **Craft CMS**: &gt;= 5.5.0, &lt;= 5.9.13 (Fixed in: `5.9.14`)\n\n## Mitigation\n\n- Upgrade Craft CMS dependencies immediately to version 5.9.14 or later.\n- Restrict web access to the administrative control panel using IP whitelist configurations.\n- Monitor application logs for suspicious parameters matching on or as keys in fieldLayoutConfig.\n\n**Remediation Steps:**\n1. Execute 'composer update craftcms/cms:5.9.14' in the root directory of the application.\n2. Validate that 'FieldsController.php' now invokes 'Component::cleanseConfig' on the incoming configuration array.\n3. Verify application functionality by testing card preview generations in the admin dashboard.\n4. Rotate admin credentials and API secrets if compromised web requests are identified in historical logs.\n\n## References\n\n- [GitHub Security Advisory GHSA-86vw-x4ww-x467](https://github.com/craftcms/cms/security/advisories/GHSA-86vw-x4ww-x467)\n- [CVE-2026-56382 Record](https://www.cve.org/CVERecord?id=CVE-2026-56382)\n- [Craft CMS Repository](https://github.com/craftcms/cms)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-86VW-X4WW-X467) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-09T15:11:49.078636Z"}]}