Listen to this Post
🔍 CVE Breakdown: CVE-2026-33157 Workflow
While Yii itself provides flexible, configurable object creation, this vulnerability originates from an input-handling flaw in how Craft CMS constructs certain objects from user-supplied data. Specifically, the `ElementIndexesController::actionFilterHud()` function directly passes an unsanitized `fieldLayouts` parameter from an HTTP request into FieldLayout::createFromConfig(). This is a significant oversight, as the function lacks the safeguards, such as Component::cleanseConfig(), that were implemented elsewhere in the software following similar issues.
This new attack vector is a direct bypass of the previous security patches addressing GHSA-255j-qw47-wjh5. The earlier fixes focused on other parts of the application, but the `ElementIndexesController` remained exposed, allowing an attacker to circumvent them. An authenticated user can exploit this by injecting a malicious configuration object.
The core of the exploit leverages Yii’s behavior injection features. The provided payload is designed to attach a legitimate yet dangerous behavior class, yii\behaviors\AttributeTypecastBehavior, to a Yii component. By using the special key `on ` to register a wildcard event listener, the attacker ensures that any event triggered on the tainted component will execute a malicious callable. This ultimately leads to remote code execution (RCE) via the system command defined in the payload.
📋 DailyCVE Form
Platform: `Craft CMS`
Version: `5.6.0-5.9.13`
Vulnerability : `Authenticated RCE`
Severity: `8.6 High`
Date: `March 23, 2026`
Prediction: `expected May 2026`
📊 Under Analysis: What Undercode Say
Following the disclosure of a new bypass (CVE-2026-33157), researchers quickly identified the vulnerable function. The focus of the security community is on comparing patch commits against previous versions to pinpoint the exact changes.
🔬 Analytical Bash Commands
To analyze the patch for ElementIndexesController, you can use `git diff` to compare the vulnerable and patched versions of Craft CMS.
Example command to compare a vulnerable version (5.9.0) with the patched version (5.9.13) git diff --name-only v5.9.0 v5.9.13 git diff v5.9.0 v5.9.13 -- src/controllers/ElementIndexesController.php
For a more thorough search, use `git grep` to find all uses of `FieldLayout::createFromConfig()` across the codebase. This helps identify all other potential injection points.
git grep 'FieldLayout::createFromConfig' -- '.php'
⚔️ Exploit: The Attack Chain in Action
The exploitation is a relatively low-complexity process for any authenticated user with access to the Craft control panel. The attack chain involves just two steps:
1. Craft the Malicious Payload: An attacker constructs a JSON payload designed to be sent in a POST request. This payload, under the `fieldLayouts` parameter, contains the malicious behavior configuration.
2. Send the Request: The attacker sends this crafted request to the vulnerable `/admin/actions/element-indexes/filter-hud` endpoint, triggering the injection and execution of arbitrary commands on the server.
🛡️ Protection from This RCE (CVE-2026-33157)
Immediate action is required to secure your Craft CMS instances.
Primary Fix: Upgrade: The only complete remediation is to upgrade Craft CMS to version `5.9.13` or later, where a direct fix has been implemented.
Immediate Mitigations: While upgrading offers the only full fix, security teams should prioritize restricting control panel access to a trusted list of administrators and implementing the principle of least privilege to reduce the immediate attack surface.
💥 Impact: Assessing the Blast Radius
A successful exploit has a severe impact on the confidentiality, integrity, and availability of the system.
Automatic Event: By automatically executing code when any event is triggered on the compromised component, the attacker achieves code execution reliably without further user interaction.
Full System Compromise: Successful RCE allows an attacker to gain complete control over the web server. This can lead to data theft from databases, defacement of websites, and use of the compromised server as a foothold for lateral movement within the network.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
DevSpace UI, WebSocket Cross-Origin Vulnerability, (Critical)