CVE-2026-28784
Remote Code Execution via Twig Injection in Craft CMS
Publication date: 2026-03-04
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | From 4.0.0 (exc) to 4.17.0 (exc) |
| craftcms | craft_cms | From 5.0.0 (exc) to 5.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1336 | The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28784 is a vulnerability in the Craft CMS that allows an attacker to perform Remote Code Execution (RCE) by exploiting Server-Side Template Injection (SSTI) in Twig templates.
This happens when malicious payloads are crafted using the Twig map filter in text fields that accept Twig input, specifically under the Settings section or the System Messages utility in the Craft control panel.
To exploit this vulnerability, an attacker must either have administrator access to the Craft Control Panel with the configuration setting allowAdminChanges enabled (which is discouraged in production), or have a non-administrator account with allowAdminChanges disabled but with access to the System Messages utility.
Updating to patched versions 5.8.22 or 4.16.18 (or later) mitigates this issue.
How can this vulnerability impact me? :
This vulnerability can lead to Remote Code Execution (RCE) on the server hosting the Craft CMS.
An attacker who successfully exploits this flaw can execute arbitrary code, potentially gaining full control over the affected system.
This can result in unauthorized access, data theft, data manipulation, service disruption, or further compromise of the network.
The risk is higher if administrative access is compromised or if the allowAdminChanges setting is enabled inappropriately.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
[{'type': 'paragraph', 'content': "While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the vulnerability's potential for Remote Code Execution and unauthorized access can lead to breaches of sensitive data."}, {'type': 'paragraph', 'content': 'Such breaches could result in non-compliance with data protection regulations that require safeguarding personal and sensitive information.'}, {'type': 'paragraph', 'content': 'Mitigating this vulnerability by applying patches and following security best practices helps maintain compliance by protecting data confidentiality, integrity, and availability.'}] [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves verifying the Craft CMS version and configuration settings that enable exploitation. Specifically, check if the Craft CMS version is prior to 5.8.22 or 4.16.18, and whether the allowAdminChanges setting is enabled in a production environment.'}, {'type': 'paragraph', 'content': 'You can detect vulnerable versions by querying the CMS version via the control panel or by inspecting the composer.lock or composer.json files in your installation.'}, {'type': 'paragraph', 'content': "To check the allowAdminChanges setting, review your configuration files (e.g., config/general.php) for the value of 'allowAdminChanges'."}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, general commands to check version and configuration include:'}, {'type': 'list_item', 'content': 'Check Craft CMS version via composer: `composer show craftcms/cms | grep versions`'}, {'type': 'list_item', 'content': 'Inspect configuration file for allowAdminChanges: `grep allowAdminChanges config/general.php`'}, {'type': 'list_item', 'content': 'Check access to System Messages utility and Settings in the control panel to identify if non-administrator users have access.'}, {'type': 'paragraph', 'content': 'Monitoring network traffic for unusual POST requests to the control panel or System Messages endpoints with Twig payloads could also help detect exploitation attempts, but no specific detection signatures or commands are provided.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update Craft CMS to the patched versions 5.8.22 or 4.16.18 (or later versions 5.9.0-beta.1 or 4.17.0-beta.1).
Additionally, immediately disable the allowAdminChanges setting in production environments to prevent unauthorized administrative changes.
Restrict access to the Craft Control Panel and System Messages utility to trusted administrator accounts only.
Follow security best practices such as:
- Disable Dev Mode in production.
- Place source and runtime folders above the webroot to prevent direct HTTP access.
- Enable sandboxed template rendering (`enableTwigSandbox`) in Craft 4.17.0 and 5.9.0 or later.
- Enforce HTTPS with SSL certificates.
- Control user permissions carefully, limiting administrative privileges.
- Sanitize and escape all user inputs and use HTML Purifier for custom fields.
Implementing these steps collectively hardens the environment against exploitation of this vulnerability.