AIKIDO-2026-10271
craftcms/cms is vulnerable to Remote Code Execution (RCE)
68
Medium Risk
This Affects:
craftcms/cmsTL;DR
Affected versions of this package are vulnerable to a remote code execution (RCE) vulnerability stemming from unsafe processing of serialized condition configuration data, which could allow untrusted input to be interpreted in a way that executes arbitrary server-side code. This unsafe handling creates a critical risk where specially crafted requests targeting the element indexes/conditions controller may be leveraged to inject executable configuration, potentially leading to full compromise of the affected Craft CMS application. The issue is fixed by cleansing and validating condition config data before use, removing dangerous configuration keys and ensuring arbitrary code execution vectors are mitigated.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
craftcms/cms is vulnerable to Remote Code Execution (RCE) in versions 3.5.0 - 4.17.4 and 5.0.0 - 5.9.10.
How to fix this
Upgrade the craftcms/cms library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant