CVE-2026-28783 — Code Injection in Craft CMS

CWE-94 — Code Injection CWE-184 — Incomplete List of Disallowed Inputs CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine5 documents5 sources

Severity

9.4CRITICALNVD

EPSS

0.1%

top 73.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedMar 4

Description

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which coul…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected Packages3 packages

▶Packagistcraftcms/cms5.0.0-RC1 — 5.9.0-beta.1+1

▶NVDcraftcms/craft_cms< 4.17.0+3

▶CVEListV5craftcms/cms>= 4.0.0-RC1, <= 4.17.0-beta.1, >= 5.0.0-RC1, <= 5.9.0-beta.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Craft has a Twig Function Blocklist Bypass↗2026-03-04

▶

OSV

Craft CMS has Twig Function Blocklist Bypass↗2026-03-03

▶

GHSA

Craft CMS has Twig Function Blocklist Bypass↗2026-03-03

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28783 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶