Remote Code Execution Vulnerability in Craft CMS by Craft
CVE-2026-56382

8.6HIGH

Key Information:

Vendor: Craftcms
Status: Cms
Vendor: CVE Published:; 21 June 2026

What is CVE-2026-56382?

Craft CMS versions from 5.5.0 to 5.9.13 are vulnerable to a remote code execution issue. The vulnerability exists in the FieldsController::actionRenderCardPreview() method, which improperly processes the fieldLayoutConfig POST parameter. This oversight allows authenticated admin users to inject Yii2 event handlers through the fieldLayoutConfig parameter, enabling the execution of arbitrary PHP code. As a result, sensitive data such as database credentials and the CRAFT_SECURITY_KEY may be compromised. This vulnerability is addressed in Craft CMS version 5.9.14, where proper configuration sanitization is implemented.

Affected Version(s)

cms 5.5.0 < 5.9.14

cms 5.9.14

References

https://github.com/craftcms/cms/security/advisories/GHSA-...

vendor-advisory

https://www.vulncheck.com/advisories/craft-cms-remote-cod...

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 21, 2026

Credit

q1uf3ng

CVE-2026-56382 Data

JSON

Craftcms

What is CVE-2026-56382?

Affected Version(s)

References

CVSS V4

Timeline

Credit