Description
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Published: 2026-03-04
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw is a server‑side template injection that lets an authenticated administrator inject code into Twig template fields such as email templates. By calling the craft.app.fs.write() function, the attacker can write a malicious PHP script to a public directory and later execute it, giving arbitrary system‑command execution on the host. The weakness is identified as CWE‑1336 and the impact is the complete compromise of confidentiality, integrity, and availability of the affected website.

Affected Systems

CraftCMS Craft CMS content management system. All 4.x releases prior to 4.17.0‑beta.1 and all 5.x releases prior to 5.9.0‑beta.1 expose the vulnerability. If a site is running any version of Craft CMS that has not yet applied the update, it is affected.

Risk and Exploitability

This critical condition scores 9.4 on CVSS; the EPSS probability is lower than 1%, and the vulnerability is not yet listed in the CISA KEV catalog. The only prerequisite for exploitation is an authenticated administrator account, after which an attacker can inject an SSTI payload into any writable Twig field. The craft.app.fs.write() call then creates a PHP script in a publicly accessible directory, which can be invoked via the browser to run arbitrary commands. Delaying patching could leave a site open to complete takeover by exploiting this flaw.

Generated by OpenCVE AI on April 17, 2026 at 13:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.17.0‑beta.1 or later, or 5.9.0‑beta.1 or later.
  • Disable or restrict the craft.app.fs.write() capability in Twig templates so that only non‑administrator users can use it.
  • Audit existing templates for injection vectors and remove any suspicious or malicious content.

Generated by OpenCVE AI on April 17, 2026 at 13:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v47q-jxvr-p68x Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
History

Thu, 05 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 04 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Title Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T05:01:23.152Z

Reserved: 2026-03-02T21:43:19.928Z

Link: CVE-2026-28697

cve-icon Vulnrichment

Updated: 2026-03-04T18:02:20.041Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T17:16:21.210

Modified: 2026-03-05T10:37:46.627

Link: CVE-2026-28697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses