CVE-2026-25498
Craft has a potential authenticated Remote Code Execution via malicious attached BehaviorCraft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.
We have discovered 3 live websites that are affected by CVE-2026-25498.
Affected Software
| Product |  CrafterCMS |
| Category | Content Management System |
| Vulnerable Domains | 3 live websites (100% of CrafterCMS install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 1 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')Details
- Published - Feb 9, 2026
- Updated - Feb 10, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-25498 United States | 3 websites |
Website Distribution by TLD
Number of websites using CVE-2026-25498| .at | 1 websites |
| .com | 1 websites |
| .de | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-25498
Top websites that are affected by CVE-2026-25498. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.at | United States | **,***,*** | |
| *******.de | United States | **,***,*** | |
| ***************.com | United States | **,***,*** |
FAQ
CVE-2026-25498 is Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in CrafterCMS
A total of 3 websites have been identified as vulnerable to CVE-2026-25498, based on global website indexing conducted by WebTechSurvey.
The CrafterCMS is affected by the CVE-2026-25498 vulnerability.
CrafterCMS versions up to 5.8.22 are vulnerable to CVE-2026-25498.
CVE-2026-25498 is resolved in version 5.8.22 of CrafterCMS.