CVE-2026-28784
HIGH
GHSA-qc86-q28f-ggww
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.
Analysis
Remote code execution in Craft CMS versions before 5.8.22 and 4.16.18 can be achieved by authenticated administrators or users with System Messages access by injecting malicious Twig payloads through the map filter in configurable text fields. An attacker with admin-level privileges and allowAdminChanges enabled, or non-admin access to System Messages utilities, can execute arbitrary code on the affected server. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Craft CMS instances and their versions; restrict administrative access to Settings and System Messages utilities to trusted personnel only. Within 7 days: Apply vendor patches to upgrade to Craft CMS 5.8.22 or 4.16.18 or later across all instances. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today