Executive Summary

CVE-2026-28697 is a vulnerability in Craft CMS versions prior to 4.17.0-beta.1 and 5.9.0-beta.1 that allows an authenticated administrator to perform Remote Code Execution (RCE). This is achieved through Server-Side Template Injection (SSTI) in Twig template fields such as Email Templates.

An attacker can inject malicious Twig code that calls the method craft.app.fs.write() to write a PHP webshell script to a web-accessible directory. Once written, the attacker can access this script via a browser to execute arbitrary system commands on the server.

The vulnerability requires an authenticated admin account with permissions to change system messages or templates. The root cause is improper neutralization of special elements in the Twig template engine, allowing template expressions to execute arbitrary code.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full Remote Code Execution on the server hosting the Craft CMS instance. An attacker can write and execute arbitrary PHP code, potentially gaining control over the server.

Additionally, the vulnerability can lead to disclosure of sensitive information such as database credentials and security keys by injecting template code that accesses these normally protected values.

• Execution of arbitrary system commands via a webshell.
• Disclosure of database credentials (username, password, DSN) bypassing environment file protections.
• Disclosure of the security key used by the application.

Overall, exploitation can lead to complete compromise of the web server and sensitive data exposure.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of malicious PHP scripts written to web-accessible directories, such as 'shell.php', which may have been created by exploiting the Server-Side Template Injection (SSTI) vulnerability in Twig templates."}, {'type': 'paragraph', 'content': "You can look for suspicious files like 'shell.php' in upload or volume directories and check web server access logs for requests to such files with query parameters executing system commands."}, {'type': 'list_item', 'content': "Use commands to find suspicious PHP files, for example: `find /path/to/webroot/uploads -name 'shell.php'`"}, {'type': 'list_item', 'content': "Check web server logs for access to these files, e.g., `grep 'shell.php' /var/log/nginx/access.log` or `grep 'shell.php' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Look for unusual template changes or edits in the CMS admin interface, especially in Email Templates or System Messages.'}, {'type': 'list_item', 'content': 'Monitor for execution of system commands via web requests, such as URLs like `http://target.com/uploads/shell.php?c=id`.'}] [4]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Craft CMS to versions 4.17.0-beta.1 or 5.9.0-beta.1 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, restrict access to the CMS admin interface to trusted administrators only, and disable or limit the use of template editing features such as Email Templates and System Messages.

Implement Twig sandbox rules to block destructive methods like `write`, `writeFileFromStream`, and `deleteFile` to prevent writing malicious files.

Use an allowlist approach to restrict accessible `craft.app` properties in templates rather than exposing the entire application object.

Audit existing templates for injected malicious code and remove any suspicious payloads.

Monitor your web-accessible directories for unexpected PHP files and remove any unauthorized files immediately.

Useful 0 Not Useful 0