CVE-2026-28697 in Craft
Summary
by MITRE • 03/04/2026
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/05/2026
The vulnerability identified as CVE-2026-28697 affects the Craft CMS platform, specifically impacting versions prior to 4.17.0-beta.1 and 5.9.0-beta.1. This represents a critical security flaw that allows authenticated administrators to achieve remote code execution through server-side template injection techniques. The vulnerability stems from insufficient input validation and sanitization within the Twig template processing system, creating an exploitable pathway for privilege escalation and system compromise. The attack vector specifically targets email templates and other template fields where user-controlled input is processed without adequate security measures.
The technical implementation of this vulnerability involves exploiting a Server-Side Template Injection (SSTI) flaw within the Craft CMS template engine. Attackers can inject malicious payloads into template fields that are subsequently processed by the Twig templating system. The exploitation process leverages the craft.app.fs.write() method which provides file system write capabilities to authenticated administrators. This method allows attackers to write malicious PHP scripts to web-accessible directories, effectively creating a backdoor that can be accessed through standard web browser requests. The injected PHP code executes with the privileges of the web server process, potentially enabling full system compromise and persistent access to the affected environment.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it provides attackers with complete remote code execution capabilities. Once an authenticated administrator account is compromised, the attacker gains the ability to execute arbitrary system commands, potentially leading to data exfiltration, system enumeration, and further network infiltration. The vulnerability affects the core CMS functionality and can result in complete system compromise, making it particularly dangerous for organizations relying on Craft CMS for critical web applications. The attack requires only administrative credentials, which significantly reduces the barrier to exploitation compared to vulnerabilities requiring additional reconnaissance or privilege escalation techniques.
Security mitigations for this vulnerability include immediate upgrading to Craft CMS versions 4.17.0-beta.1 or 5.9.0-beta.1, which contain the necessary patches to address the SSTI and file system write vulnerabilities. Organizations should also implement strict input validation and sanitization measures for all user-controllable template fields, particularly those involving template processing. Network segmentation and privilege separation can help limit the impact if credentials are compromised, while monitoring for unusual file system write operations and PHP script execution should be implemented. The vulnerability aligns with CWE-74 and CWE-94 categories related to injection flaws and code execution, and represents a technique that could be classified under ATT&CK tactics including privilege escalation and execution through legitimate system processes. Regular security assessments and vulnerability scanning should be conducted to identify similar template injection vulnerabilities in other CMS platforms and web applications.