CVE-2026-28695
Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
| CWE | CWE-1336 |
| Vendor | craftcms |
| Product | cms |
| Published | Mar 4, 2026 |
| Last Updated | Mar 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms cms
Be the first to know when new unknown vulnerabilities affecting craftcms cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
craftcms / cms
>= 5.8.7, < 5.9.0-beta.1 >= 4.0.0-RC1, < 4.17.0-beta.1