CVE-2026-28697
Server-Side Template Injection in Craft CMS Enables Remote Code Execution
Publication date: 2026-03-04
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | From 4.0.0 (exc) to 4.17.0 (exc) |
| craftcms | craft_cms | From 5.0.0 (exc) to 5.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28697 is a vulnerability in Craft CMS versions prior to 4.17.0-beta.1 and 5.9.0-beta.1 that allows an authenticated administrator to perform Remote Code Execution (RCE). This is achieved through Server-Side Template Injection (SSTI) in Twig template fields such as Email Templates.
An attacker can inject malicious Twig code that calls the method craft.app.fs.write() to write a PHP webshell script to a web-accessible directory. Once written, the attacker can access this script via a browser to execute arbitrary system commands on the server.
The vulnerability requires an authenticated admin account with permissions to change system messages or templates. The root cause is improper neutralization of special elements in the Twig template engine, allowing template expressions to execute arbitrary code.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full Remote Code Execution on the server hosting the Craft CMS instance. An attacker can write and execute arbitrary PHP code, potentially gaining control over the server.
Additionally, the vulnerability can lead to disclosure of sensitive information such as database credentials and security keys by injecting template code that accesses these normally protected values.
- Execution of arbitrary system commands via a webshell.
- Disclosure of database credentials (username, password, DSN) bypassing environment file protections.
- Disclosure of the security key used by the application.
Overall, exploitation can lead to complete compromise of the web server and sensitive data exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of malicious PHP scripts written to web-accessible directories, such as 'shell.php', which may have been created by exploiting the Server-Side Template Injection (SSTI) vulnerability in Twig templates."}, {'type': 'paragraph', 'content': "You can look for suspicious files like 'shell.php' in upload or volume directories and check web server access logs for requests to such files with query parameters executing system commands."}, {'type': 'list_item', 'content': "Use commands to find suspicious PHP files, for example: `find /path/to/webroot/uploads -name 'shell.php'`"}, {'type': 'list_item', 'content': "Check web server logs for access to these files, e.g., `grep 'shell.php' /var/log/nginx/access.log` or `grep 'shell.php' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Look for unusual template changes or edits in the CMS admin interface, especially in Email Templates or System Messages.'}, {'type': 'list_item', 'content': 'Monitor for execution of system commands via web requests, such as URLs like `http://target.com/uploads/shell.php?c=id`.'}] [4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Craft CMS to versions 4.17.0-beta.1 or 5.9.0-beta.1 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, restrict access to the CMS admin interface to trusted administrators only, and disable or limit the use of template editing features such as Email Templates and System Messages.
Implement Twig sandbox rules to block destructive methods like `write`, `writeFileFromStream`, and `deleteFile` to prevent writing malicious files.
Use an allowlist approach to restrict accessible `craft.app` properties in templates rather than exposing the entire application object.
Audit existing templates for injected malicious code and remove any suspicious payloads.
Monitor your web-accessible directories for unexpected PHP files and remove any unauthorized files immediately.