Craft CMS Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) Vulnerability - CVE-2026-33157

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13 a Remote Code Execution (RCE) vulnerability exists in Craft CMS it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (quotasquot and quotonquot prefixed keys). However the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.