CVE-2026-25498
📋 TL;DR
This is a Remote Code Execution vulnerability in Craft CMS that allows authenticated administrators to execute arbitrary system commands on the server. It affects Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21. The vulnerability occurs due to insufficient sanitization of user-supplied configuration data in the assembleLayoutFromPost() function.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.
Likely Case
Authenticated administrators with malicious intent or compromised admin accounts could execute commands to exfiltrate data or maintain persistence.
If Mitigated
Limited to authenticated administrators only, with proper access controls limiting damage scope.
🎯 Exploit Status
Exploitation requires administrator credentials. The vulnerability is similar to previously patched CVE-2025-68455, suggesting exploit code may be adapted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.8.22
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
Restart Required: No
Instructions:
1. Update Craft CMS to version 5.8.22 or later. 2. For version 4.x, upgrade to Craft 5.8.22 or later as version 4 is no longer supported. 3. Apply the patch from GitHub commit 395c64f0b80b507be1c862a2ec942eaacb353748 if manual patching is needed.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit administrator accounts to only trusted personnel and implement strong authentication controls.
Web Application Firewall Rules
allImplement WAF rules to block suspicious POST requests to field configuration endpoints.
🧯 If You Can't Patch
- Immediately restrict or monitor all administrator accounts for suspicious activity.
- Implement network segmentation to isolate the Craft CMS server from critical systems.
🔍 How to Verify
Check if Vulnerable:
Check Craft CMS version via admin panel or by examining the composer.json file. Versions 4.0.0-RC1 to 4.16.17 or 5.0.0-RC1 to 5.8.21 are vulnerable.Check Version:
php craft --versionVerify Fix Applied:
Confirm version is 5.8.22 or later. Check that the patch from commit 395c64f0b80b507be1c862a2ec942eaacb353748 is applied.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to field configuration endpoints
- Suspicious system command execution in web server logs
- Multiple failed administrator login attempts followed by successful login
Network Indicators:
- Unusual outbound connections from web server to external systems
- Large data exfiltration from web server
SIEM Query:
source="web_logs" AND (uri_path="/admin/actions/fields/*" OR uri_path CONTAINS "assembleLayoutFromPost") AND status=200