Input validation error in Craft CMS - CVE-2026-44011
Published: June 16, 2026
Vulnerability identifier: #VU134670
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-44011
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pixel & Tonic, Inc.
Affected software:
Craft CMS
Craft CMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary commands on the server.
The vulnerability exists due to improper input validation in the Yii object creation path for FieldLayout hydration when handling crafted POST requests with request-controlled condition field layout data. A remote user can inject malicious configuration through a specially crafted request to execute arbitrary commands on the server.
The issue can be triggered from authenticated requests to element index actions that pass through the same beforeAction() path.
How to mitigate CVE-2026-44011
Install security update from vendor's website.