CVE-2026-28783
PHP Function Blocklist Bypass in Craft CMS Enables RCE
Publication date: 2026-03-04
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | From 4.0.0 (exc) to 4.17.0 (exc) |
| craftcms | craft_cms | From 5.0.0 (exc) to 5.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers with the required permissions to execute various malicious actions within the Craft CMS environment.
- Remote Code Execution (RCE), allowing attackers to run arbitrary code on the server.
- Arbitrary file reads, potentially exposing sensitive files.
- Server-Side Request Forgery (SSRF), enabling attackers to make unauthorized requests from the server.
- Server-Side Template Injection (SSTI), which can lead to further code execution or data exposure.
These impacts can compromise the confidentiality, integrity, and availability of your system and data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-28783 is a high-severity vulnerability in Craft CMS affecting versions from 4.0.0-RC1 up to 4.17.0-beta.1 and 5.0.0-RC1 up to 5.9.0-beta.1. The issue stems from an incomplete blocklist that was intended to prevent dangerous PHP functions from being called via Twig non-Closure arrow functions.
Because some PHP functions were not included in the blocklist, attackers with certain permissionsβsuch as having allowAdminChanges enabled in production, a compromised admin account, or access to the System Messages utilityβcould exploit this to execute malicious payloads. These payloads include remote code execution (RCE), arbitrary file reads, server-side request forgery (SSRF), and server-side template injection (SSTI).
The vulnerability is fixed in Craft CMS versions 4.17.0-beta.1 and 5.9.0-beta.1 by removing the blocklist and globally disabling all non-Closure arrow functions in Twig through a new configuration setting called enableTwigSandbox.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the use of non-Closure arrow functions in Twig templates within Craft CMS versions prior to 5.9.0-beta.1 and 4.17.0-beta.1, combined with certain permissions such as allowAdminChanges enabled on production, compromised admin accounts, or access to the System Messages utility.'}, {'type': 'paragraph', 'content': 'Detection would involve checking your Craft CMS version to see if it is within the vulnerable range and verifying if the configuration setting `enableTwigSandbox` is disabled, as enabling it mitigates the vulnerability.'}, {'type': 'paragraph', 'content': "Additionally, you can audit Twig templates for usage of string-based non-Closure arrow functions, for example, patterns like `{% set names = names | map('ucfirst') %}` which are vulnerable, instead of Closure arrow functions."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the resources, but general steps include:'}, {'type': 'list_item', 'content': 'Check the Craft CMS version installed on your system.'}, {'type': 'list_item', 'content': 'Inspect the Craft CMS configuration for the `enableTwigSandbox` setting.'}, {'type': 'list_item', 'content': 'Search your Twig template files for usage of string-based arrow functions (e.g., grep or similar text search tools).'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should update your Craft CMS installation to version 5.9.0-beta.1 or later, or 4.17.0-beta.1 or later, where the vulnerability is fixed.
Enable the `enableTwigSandbox` configuration setting in your Craft CMS project. This setting activates the Twig Sandbox extension which blocks all non-Closure arrow functions, preventing the exploitation of this vulnerability.
Review and update your Twig templates to replace any string-based non-Closure arrow functions with Closure arrow functions to comply with the new security policy.
Ensure that the `allowAdminChanges` setting is disabled in production environments unless absolutely necessary, and review user permissions to limit access to admin accounts and the System Messages utility.