Threat Advisory

Craft CMS Vulnerability Enables Remote Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Craft CMS software, affecting versions 4.0.0 through 4.17.12, and 5.0.0 through 5.9.17. The vulnerabilities include a missing volume permission check in the AssetsController::actionShowInFolder method, which allows information disclosure, and a potential authenticated remote code execution vulnerability via malicious attached behavior. These vulnerabilities pose a significant business risk, as they enable attackers to enumerate asset filenames and folder structures, as well as execute arbitrary commands on the server. If exploited, these vulnerabilities could lead to sensitive volume structures being exposed and targeted follow-up attacks being launched.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Craft CMS software, affecting versions 4.0.0 through 4.17.12, and 5.0.0 through 5.9.17. The vulnerabilities include a missing volume permission check in the AssetsController::actionShowInFolder method, which allows information disclosure, and a potential authenticated remote code execution vulnerability via malicious attached behavior. These vulnerabilities pose a significant business risk, as they enable attackers to enumerate asset filenames and folder structures, as well as execute arbitrary commands on the server. If exploited, these vulnerabilities could lead to sensitive volume structures being exposed and targeted follow-up attacks being launched.[emaillocker id="1283"]

  • CVE-2026-44012 with a CVSS score of 7.5 – This vulnerability is in the AssetsController::actionShowInFolder method, which fails to check whether the requesting user has viewAssets or viewPeerAssets permission on the asset’s volume. This allows any authenticated control panel user to enumerate asset filenames and folder structures, even if they are not authorized to access the volume. The attacker capability is high, as they can expose sensitive volume structures and potentially launch targeted follow-up attacks.
  • CVE-2026-44011 with a CVSS score of 7.5 – This vulnerability is in the Yii object creation path, which contains an input-handling flaw that allows authenticated users to inject malicious configuration and execute arbitrary commands on the server. The attacker capability is high, as they can inject malicious code and execute system commands. This vulnerability requires a malicious attached behavior, which can be triggered by issuing a POST request to the /admin/actions/element-search/search route with a specially crafted JSON payload.

Craft CMS software has been affected by two high-severity vulnerabilities, which pose a significant risk to business operations. If exploited, these vulnerabilities could lead to sensitive data being exposed and targeted follow-up attacks being launched. Therefore, it is essential to take immediate action to address these vulnerabilities and prevent potential security breaches.

RECOMMENDATION:

  • We recommend you to update `composer/craftcms/cms` to version `5.9.18`.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-33m5-hqp9-97pw
https://github.com/advisories/GHSA-qrgm-p9w5-rrfw
https://github.com/advisories/GHSA-gj2p-p9m4-c8gw

[/emaillocker]
crossmenu