Description
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.
Published: 2026-03-04
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Craft CMS is vulnerable to authenticated server‑side template injection (SSTI) when the Twig map filter is used in certain text fields within the control panel or the System Messages utility. The weakness can be exploited to execute arbitrary code on the web server, a type of vulnerability categorized as CWE‑1336. The attack requires an attacker to have credentials with administrator privileges or, alternatively, a non‑administrator account that still has access to the System Messages utility while allowAdminChanges is disabled. A successful exploit would compromise the confidentiality, integrity, and availability of the CMS instance and any associated data.

Affected Systems

The vulnerability affects Craft CMS versions prior to 5.8.22 and 4.16.18. The affected product is Craft CMS, maintained by Craftcms:cms, and includes all releases listed such as 4.0.0 (rc1, rc2, rc3) and 5.0.0 (rc1).

Risk and Exploitability

The CVSS score is 8.6, indicating high severity, while the EPSS score is below 1%, suggesting a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation is achievable only by authenticated users with the necessary access levels, implying that limiting non‑admin interaction or disabling allowAdminChanges decreases the exploitability. The combination of a high severity rating and limited attack surface results in a moderate overall risk for systems that remain at the affected versions or are deployed in production environments without proper configuration.

Generated by OpenCVE AI on April 16, 2026 at 13:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.8.22 or later, or 4.16.18 or later; these releases contain the patch for the Twig SSTI flaw.
  • If an upgrade is not immediately possible, disable the allowAdminChanges setting in the Craft configuration to block the vulnerable functionality for all users, including administrators.
  • Restrict or remove non‑administrator access to the System Messages utility. This limitation reduces the attack surface for users who might otherwise exploit the SSTI path via the utility.

Generated by OpenCVE AI on April 16, 2026 at 13:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qc86-q28f-ggww Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
History

Thu, 05 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 04 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.
Title Craft is affected by potential authenticated Remote Code Execution via Twig SSTI
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T05:01:19.825Z

Reserved: 2026-03-03T14:25:19.244Z

Link: CVE-2026-28784

cve-icon Vulnrichment

Updated: 2026-03-04T17:32:59.818Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T17:16:21.853

Modified: 2026-03-05T10:37:57.920

Link: CVE-2026-28784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses