🔐 CVE Alert

CVE-2026-55792

UNKNOWN 0.0

Craft CMS: Sensitive File Disclosure / Server-Side File Read

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
18th

Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its contents as a base64-encoded data URL embedded in the email body. The .env file, which typically contains the database password, CRAFT_SECURITY_KEY, and third-party API keys, passes all of Craft’s existing dataUrl() protection checks and is fully exfiltrated. Obtaining CRAFT_SECURITY_KEY enables an attacker to forge session tokens and escalate to full admin account takeover. This issue has been fixed in versions 4.18.0 and 5.10.0.

CWE CWE-200
Vendor craftcms
Product cms
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / cms
>= 4.0.0-RC1, < 4.18.0 >= 5.0.0-RC1, < 5.10.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/craftcms/cms/security/advisories/GHSA-287w-mxq6-x2cp github.com: https://github.com/craftcms/cms/pull/18559