Description
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Published: 2026-03-04
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Twig function bypass
Action: Immediate Patch
AI Analysis

Impact

Craft CMS prior to 5.9.0-beta.1 and 4.17.0-beta.1 implements a blocklist that is intended to prevent the execution of dangerous PHP functions through Twig non‑Closure arrow functions. The blocklist, however, does not include all potentially harmful PHP functions. Attackers who acquire either administrative privileges, the ability to modify system settings via allowAdminChanges, or access to the System Messages utility can exploit this omission to invoke disallowed PHP functions, allowing them to execute arbitrary code, read files, or perform SSRFs and SSTIs. This vulnerability is essentially a code‑execution flaw and is classified under CWE‑1336, CWE‑184, and CWE‑94.

Affected Systems

The back‑end product affected is Craft CMS. The CVE applies to all versions released before 5.9.0-beta.1 and 4.17.0-beta.1, including legacy 5.0.0 releases and the 4.0.0 series up through rc3. Any installation of those users is considered vulnerable unless the back‑end has been upgraded to the fixed versions. The vulnerability is tied to the system configuration that permits admin changes or provides access to system‑message editing functions. Administrators using the affected CMS should check the version in use against the fixed releases.

Risk and Exploitability

The flaw carries a CVSS score of 9.4, indicating a high‑severity risk. Its EPSS score is below 1 %, implying a low probability that an exploit is actively used; however the vulnerability is not listed in the CISA KEV catalog. Because the attack requires privileged access, the exploitation pathway is limited to environments where an attacker can enable allowAdminChanges or compromise an admin account. The overall risk is elevated for production sites that have not upgraded and still expose the required interfaces. The highest threat is the potential for remote code execution if the blocklist is bypassed.

Generated by OpenCVE AI on April 16, 2026 at 13:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.9.0‑beta.1 or later, or 4.17.0‑beta.1 or later.
  • Disable allowAdminChanges unless absolutely required and restrict its usage to trusted administrators.
  • Restrict access to the System Messages utility to a minimal set of highly trusted users.
  • Monitor application logs for unusual Twig function usage or attempts to execute disallowed PHP functions.
  • If immediate upgrade is not possible, consider temporarily disabling the execution of all PHP functions via custom patch or configuration until a patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 13:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5fvc-7894-ghp4 Craft CMS has Twig Function Blocklist Bypass
History

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 04 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Title Craft has a Twig Function Blocklist Bypass
Weaknesses CWE-1336
CWE-184
CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T05:01:22.026Z

Reserved: 2026-03-03T14:25:19.244Z

Link: CVE-2026-28783

cve-icon Vulnrichment

Updated: 2026-03-04T17:34:00.593Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T17:16:21.690

Modified: 2026-03-05T20:24:42.203

Link: CVE-2026-28783

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses