CVE-2026-28697
Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
| CWE | CWE-1336 |
| Vendor | craftcms |
| Product | cms |
| Published | Mar 4, 2026 |
| Last Updated | Mar 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms cms
Be the first to know when new unknown vulnerabilities affecting craftcms cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
craftcms / cms
>= 5.0.0-RC1, < 5.9.0-beta.1 >= 4.0.0-RC1, < 4.17.0-beta.1