Craft CMS RCE via FieldsController::actionRenderCardPreview (v5.5-5.9.13)
CVE-2026-56382 Published on June 21, 2026
Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController
Craft CMS (composer package craftcms/cms) versions >= 5.5.0 and <= 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview() method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). An authenticated admin user can inject Yii2 event handlers (e.g., 'on init' keys) via the fieldLayoutConfig parameter to execute arbitrary PHP code and disclose sensitive information (such as environment variables containing database credentials and CRAFT_SECURITY_KEY). The issue is fixed in version 5.9.14.
Vulnerability Analysis
CVE-2026-56382 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-56382 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-56382
Want to know whenever a new CVE is published for Juzaweb Cms? stack.watch will email you.
Affected Versions
craftcms cms:- Version 5.5.0 and below 5.9.14 is affected.
- Version 5.9.14 is unaffected.