Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28695 is an authenticated remote code execution (RCE) vulnerability in Craft CMS versions between 5.8.7 and before 5.9.0-beta.1, as well as versions between 4.0.0-RC1 and before 4.17.0-beta.1.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from Server-Side Template Injection (SSTI) via the Twig `create()` function, which exposes the `Craft::createObject()` method. This method allows instantiation of arbitrary PHP classes with constructor arguments.'}, {'type': 'paragraph', 'content': 'When combined with the bundled Symfony Process component, this enables an attacker with authenticated admin access to execute arbitrary shell commands on the server.'}, {'type': 'paragraph', 'content': 'The vulnerability bypasses a previous fix (CVE-2025-57811) and is exploitable by injecting malicious payloads into template fields such as the "Title Format" in the admin panel.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated administrator to execute arbitrary shell commands on the server hosting the Craft CMS application.

Because the commands run with the privileges of the web server user, which is root in the default Docker setup, this can lead to full server compromise.

An attacker could use this to take control of the server, access sensitive data, modify or delete files, install malware, or disrupt services.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Craft CMS installation is running a vulnerable version between 5.8.7 and before 5.9.0-beta.1, or between 4.0.0-RC1 and before 4.17.0-beta.1.'}, {'type': 'paragraph', 'content': 'Additionally, detection can involve looking for the presence of the vulnerable Twig `create()` function usage that allows instantiation of arbitrary PHP classes, especially the `Symfony\\Component\\Process\\Process` class.'}, {'type': 'paragraph', 'content': 'A practical detection method is to test for the vulnerability by injecting the proof-of-concept payload into the "Title Format" field under Settings → Entry Types in the admin panel (requires authenticated admin access):'}, {'type': 'list_item', 'content': '{% set p = create("Symfony\\\\Component\\\\Process\\\\Process", [["id"]]) %}{{ p.mustRun.getOutput }}'}, {'type': 'paragraph', 'content': 'If the command output (e.g., the result of `id`) appears in the entry title, the system is vulnerable.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Craft CMS to a patched version: 5.9.0-beta.1 or later, or 4.17.0-beta.1 or later.

If upgrading is not immediately possible, consider removing or restricting the Twig `create()` function to prevent instantiation of arbitrary classes.

Another mitigation is to blocklist dangerous classes such as `Symfony\Component\Process\Process` in the `createObject()` method when called from Twig templates.

Ensure that administrator permissions and access to the System Messages utility are tightly controlled, and avoid running the system with `AdminChanges` enabled in production.

The official patch restricts the `create()` Twig function to only instantiate classes extending from `yii\base\BaseObject`, throwing an exception otherwise.

Useful 0 Not Useful 0