CVE-2026-28784

UNKNOWN 0.0

Craft is affected by potential authenticated Remote Code Execution via Twig SSTI

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.

CWE	CWE-1336
Vendor	craftcms
Product	cms
Published	Mar 4, 2026
Last Updated	Mar 6, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / cms

>= 5.0.0-RC1, < 5.9.0-beta.1 >= 4.0.0-RC1, < 4.17.0-beta.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww github.com: https://github.com/craftcms/cms/pull/18208 craftcms.com: https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production