Skip to main content

PHP CVE-2026-28783

CRITICAL
Code Injection (CWE-94)
2026-03-04 security-advisories@github.com GHSA-5fvc-7894-ghp4
PHP SSRF Craft Cms
9.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
Patch released
Mar 05, 2026 - 20:24 nvd
Patch available
CVE Published
Mar 04, 2026 - 17:16 nvd
CRITICAL 9.1

DescriptionNVD

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

AnalysisAI

Code injection bypass in Craft CMS before 5.9.0-beta.1/4.17.0-beta.1 via blocklist evasion. Patch available.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain high-privilege account access
Exploit
Craft malicious Twig arrow function
Execution
Bypass incomplete PHP function blocklist
Impact
Execute arbitrary PHP code
Sign in to reveal

Vulnerability AssessmentAI

Exploitation High-privilege admin account or compromised account with System Messages utility access, combined with allowAdminChanges enabled on production environment, or administrative access to Craft CMS below version 5.9.0-beta.1 / 4.17.0-beta.1. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.1. Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Bypass dangerous function blocklist for code execution.
Remediation Update. Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Craft CMS instances in your environment and document their versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48907 CRITICAL
10.0 Jun 05

Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create
CVE-2026-48030 CRITICAL
9.9 Jun 09

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission
CVE-2026-52778 CRITICAL
9.8 Jun 08

Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar C
CVE-2026-38615 CRITICAL
9.8 Jun 09

DedeCMS V5.7.118 is vulnerable to Command Execution in file_manage_control.php.
CVE-2026-10777 MEDIUM POC
5.5 Jun 03

Authentication bypass in ealpha072's Student-Management-System PHP application exposes the administrative backend to rem

Share

CVE-2026-28783 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy