AIKIDO-2026-10051
craftcms/cms is vulnerable to Remote Code Execution (RCE)
85
High Risk
This Affects:
craftcms/cmsTL;DR
Affected versions of this package are vulnerable to remote code execution because a flaw in how certain user-controllable configuration or input is processed allows unsanitized data to alter executable logic or code paths, potentially letting an attacker inject and run arbitrary code within the application context. In Craft CMS, this means that crafted input could exploit the underlying vulnerability in the framework/application integration to bypass intended controls and execute unintended operations. The referenced commit remedies this by tightening validation and sanitization of the affected inputs and eliminating the unsafe code path, preventing attackers from triggering code execution through malicious payloads.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
craftcms/cms is vulnerable to Remote Code Execution (RCE) in versions 4.0.0 - 4.16.17 and 5.0.0 - 5.8.21.
How to fix this
Upgrade the craftcms/cms library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant