Vulnerability in Craftcms Cms

CVE-2026-33157

Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is…

EPSS: 0.001 (27.4th percentile) — read the EPSS interpretation.

Affected products

Craftcms Cms — versions >= 5.6.0, < 5.9.13

Weakness classification (CWE)

CWE-470 — Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)

References

https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh (x_refsource_CONFIRM)
https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e (x_refsource_MISC)
https://github.com/craftcms/cms/releases/tag/5.9.13 (x_refsource_MISC)