Executive Summary

CVE-2026-28784 is a vulnerability in the Craft CMS that allows an attacker to perform Remote Code Execution (RCE) by exploiting Server-Side Template Injection (SSTI) in Twig templates.

This happens when malicious payloads are crafted using the Twig map filter in text fields that accept Twig input, specifically under the Settings section or the System Messages utility in the Craft control panel.

To exploit this vulnerability, an attacker must either have administrator access to the Craft Control Panel with the configuration setting allowAdminChanges enabled (which is discouraged in production), or have a non-administrator account with allowAdminChanges disabled but with access to the System Messages utility.

Updating to patched versions 5.8.22 or 4.16.18 (or later) mitigates this issue.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to Remote Code Execution (RCE) on the server hosting the Craft CMS.

An attacker who successfully exploits this flaw can execute arbitrary code, potentially gaining full control over the affected system.

This can result in unauthorized access, data theft, data manipulation, service disruption, or further compromise of the network.

The risk is higher if administrative access is compromised or if the allowAdminChanges setting is enabled inappropriately.

Useful 0 Not Useful 0

Compliance Impact

[{'type': 'paragraph', 'content': "While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the vulnerability's potential for Remote Code Execution and unauthorized access can lead to breaches of sensitive data."}, {'type': 'paragraph', 'content': 'Such breaches could result in non-compliance with data protection regulations that require safeguarding personal and sensitive information.'}, {'type': 'paragraph', 'content': 'Mitigating this vulnerability by applying patches and following security best practices helps maintain compliance by protecting data confidentiality, integrity, and availability.'}] [1, 2]

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves verifying the Craft CMS version and configuration settings that enable exploitation. Specifically, check if the Craft CMS version is prior to 5.8.22 or 4.16.18, and whether the allowAdminChanges setting is enabled in a production environment.'}, {'type': 'paragraph', 'content': 'You can detect vulnerable versions by querying the CMS version via the control panel or by inspecting the composer.lock or composer.json files in your installation.'}, {'type': 'paragraph', 'content': "To check the allowAdminChanges setting, review your configuration files (e.g., config/general.php) for the value of 'allowAdminChanges'."}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, general commands to check version and configuration include:'}, {'type': 'list_item', 'content': 'Check Craft CMS version via composer: `composer show craftcms/cms | grep versions`'}, {'type': 'list_item', 'content': 'Inspect configuration file for allowAdminChanges: `grep allowAdminChanges config/general.php`'}, {'type': 'list_item', 'content': 'Check access to System Messages utility and Settings in the control panel to identify if non-administrator users have access.'}, {'type': 'paragraph', 'content': 'Monitoring network traffic for unusual POST requests to the control panel or System Messages endpoints with Twig payloads could also help detect exploitation attempts, but no specific detection signatures or commands are provided.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update Craft CMS to the patched versions 5.8.22 or 4.16.18 (or later versions 5.9.0-beta.1 or 4.17.0-beta.1).

Additionally, immediately disable the allowAdminChanges setting in production environments to prevent unauthorized administrative changes.

Restrict access to the Craft Control Panel and System Messages utility to trusted administrator accounts only.

Follow security best practices such as:

• Disable Dev Mode in production.
• Place source and runtime folders above the webroot to prevent direct HTTP access.
• Enable sandboxed template rendering (`enableTwigSandbox`) in Craft 4.17.0 and 5.9.0 or later.
• Enforce HTTPS with SSL certificates.
• Control user permissions carefully, limiting administrative privileges.
• Sanitize and escape all user inputs and use HTML Purifier for custom fields.

Implementing these steps collectively hardens the environment against exploitation of this vulnerability.

Useful 0 Not Useful 0