How to fix CVE-2026-28783?

Within 24 hours: Identify all Craft CMS instances in your environment and document their versions. Within 7 days: Apply the available patch to upgrade to version 5.9.0-beta.1, 4.17.0-beta.1, or later across all affected systems. Within 30 days: Conduct a security audit of Twig template usage and implement code review processes to prevent similar bypasses; monitor access logs for suspicious Twig-based exploitation attempts.

Is PHP affected by CVE-2026-28783?

Craft CMS versions prior to 5.9.0-beta.1 and 4.17.0-beta.1 contain a critical vulnerability that allows attackers to bypass security controls and execute arbitrary PHP functions through Twig templates, potentially leading to complete system compromise.

CVE-2026-28783

CRITICAL

2026-03-04 [email protected]

GHSA-5fvc-7894-ghp4

9.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

Patch Released

Mar 05, 2026 - 20:24 nvd

Patch available

CVE Published

Mar 04, 2026 - 17:16 nvd

CRITICAL 9.1

Description

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

Analysis

Code injection bypass in Craft CMS before 5.9.0-beta.1/4.17.0-beta.1 via blocklist evasion. Patch available.

Remediation

Within 24 hours: Identify all Craft CMS instances in your environment and document their versions. Within 7 days: Apply the available patch to upgrade to version 5.9.0-beta.1, 4.17.0-beta.1, or later across all affected systems. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +46

POC: 0

CVE-2026-28783 vulnerability details – vuln.today

Back

CVE-2026-28783

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-28783

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code