Description
Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Published: 2026-03-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Craft CMS allows an authenticated administrator to exploit a server‑side template injection via the Twig create() function, which internally calls Craft::createObject(). By chaining this with a bundled Symfony Process gadget, an attacker can instantiate arbitrary PHP classes, leading to remote code execution on the system hosting the CMS. The flaw bypasses a prior fix for a related vulnerability, and is classified as CWE‑1336, indicating a compromised templating engine.

Affected Systems

Versions of Craft CMS prior to the release of 5.9.0‑beta.1 and 4.17.0‑beta.1 are vulnerable; specifically administratively privileged users on Craft CMS 5.8.21 and earlier 5.x releases can exercise this weakness while earlier 4.x releases below 4.17.0‑beta.1 are also impacted.

Risk and Exploitability

The CVSS score of 7.5 marks high severity, but the EPSS score of less than 1 % suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, implying no widely documented exploitation yet. Bypassing of an earlier fix heightens the risk if administrators rely on that patch. Attack requires authenticated admin credentials; once achieved, the attacker can execute arbitrary system commands with the PHP process sandbox. Vigilance and timely patching are therefore critical.

Generated by OpenCVE AI on April 17, 2026 at 13:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.9.0‑beta.1 or later, or to 4.17.0‑beta.1 or later, ensuring the bundled Symfony Process component is updated or removed.
  • Patch or disable the Twig create() function by restricting plugin usage or modifying configuration to prevent arbitrary class instantiation, and remove the symfony/process dependency if it is not required.
  • Limit administrative privileges, enforce strong authentication, and monitor server logs for unexpected create() calls or system command execution to detect exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 13:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-94rc-cqvm-m4pw Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
History

Thu, 05 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Title Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 7.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T05:01:24.295Z

Reserved: 2026-03-02T21:43:19.928Z

Link: CVE-2026-28695

cve-icon Vulnrichment

Updated: 2026-03-04T17:05:18.100Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T17:16:20.887

Modified: 2026-03-05T19:54:27.660

Link: CVE-2026-28695

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses