CVE-2026-33157
Craft CMS: Potential authenticated Remote Code Execution via malicious attached BehaviorCraft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
We have discovered 2 live websites that are affected by CVE-2026-33157.
Affected Software
| Product |  CrafterCMS |
| Category | Content Management System |
| Vulnerable Domains | 2 live websites (100% of CrafterCMS install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 1 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')Details
- Published - Mar 24, 2026
- Updated - Mar 25, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-33157 United States | 2 websites |
Website Distribution by TLD
Number of websites using CVE-2026-33157| .com | 1 websites |
| .de | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-33157
Top websites that are affected by CVE-2026-33157. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.de | United States | **,***,*** | |
| ***************.com | United States | **,***,*** |
FAQ
CVE-2026-33157 is Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in CrafterCMS
A total of 2 websites have been identified as vulnerable to CVE-2026-33157, based on global website indexing conducted by WebTechSurvey.
The CrafterCMS is affected by the CVE-2026-33157 vulnerability.
CrafterCMS versions up to 5.9.13 are vulnerable to CVE-2026-33157.
CVE-2026-33157 is resolved in version 5.9.13 of CrafterCMS.