CVE-2026-28784Improper Neutralization of Special Elements Used in a Template Engine in Craft CMS

CWE-1336Improper Neutralization of Special Elements Used in a Template Engine5 documents5 sources
Severity
8.6HIGHNVD
EPSS
0.1%
top 82.20%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedMar 4

Description

Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternati

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

Packagistcraftcms/cms5.0.0-RC15.9.0-beta.1+1
NVDcraftcms/craft_cms< 4.17.0+3
CVEListV5craftcms/cms>= 4.0.0-RC1, < 4.17.0-beta.1, >= 5.0.0-RC1, < 5.9.0-beta.1+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
Craft is affected by potential authenticated Remote Code Execution via Twig SSTI2026-03-04
OSV
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI2026-03-03
GHSA
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI2026-03-03

🕵️Threat Intelligence

1
Wiz
CVE-2026-28784 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-28784 — Craftcms Craft CMS vulnerability | cvebase