Skip to main content

Craft CMS CVE-2026-55792

| EUVDEUVD-2026-41212 MEDIUM
Information Exposure (CWE-200)
2026-07-02 security-advisories@github.com GHSA-287w-mxq6-x2cp
6.0
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-accessible exploit via email template rendering (AV:N), low-privilege control panel permission required (PR:L), scope unchanged as impact remains within the CMS application boundary (S:U), full confidentiality loss from unrestricted .env file read (C:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 23:01 EUVD
Analysis Generated
Jul 02, 2026 - 00:28 vuln.today

DescriptionCVE.org

Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its contents as a base64-encoded data URL embedded in the email body. The .env file, which typically contains the database password, CRAFT_SECURITY_KEY, and third-party API keys, passes all of Craft’s existing dataUrl() protection checks and is fully exfiltrated. Obtaining CRAFT_SECURITY_KEY enables an attacker to forge session tokens and escalate to full admin account takeover. This issue has been fixed in versions 4.18.0 and 5.10.0.

AnalysisAI

Server-side file exfiltration in Craft CMS versions 4.0.0-RC1 through 4.17.x and 5.0.0-RC1 through 5.9.x allows any control panel user granted the utility:system-messages permission to embed a dataUrl() Twig payload into system email templates, causing the server to read and base64-encode arbitrary files - including the .env file - into outbound email bodies. Exfiltration of CRAFT_SECURITY_KEY from the .env file enables an attacker to forge valid session tokens and escalate to full administrator account takeover, chaining a confidentiality breach into complete privilege escalation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to Craft CMS control panel
Delivery
Leverage utility:system-messages permission to edit email template
Exploit
Inject dataUrl('.env') payload into template body
Install
Trigger system email send to attacker-controlled address
C2
Decode base64-encoded .env file contents from email
Execute
Extract CRAFT_SECURITY_KEY and database credentials
Impact
Forge admin session token for full account takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires two concurrent conditions: first, the attacker must have authenticated access to the Craft CMS control panel (a valid user account); second, the utility:system-messages permission must be explicitly delegated to that user or their group by an administrator - this is not a default permission and must be intentionally granted. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.0 (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N) is technically accurate but understates the operational risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has been granted the utility:system-messages permission in Craft CMS - for example, a trusted content editor or marketing team member - edits a system email template to include a dataUrl('/var/www/html/.env') call, then triggers a test or legitimate send of that email to an address they control. Craft's email renderer executes dataUrl() server-side, reads the .env file, and embeds the full base64-encoded contents in the email body; the attacker decodes the payload, extracts CRAFT_SECURITY_KEY, and uses it to forge a session cookie for an administrator account, achieving full CMS control. …
Remediation Upgrade to Craft CMS 4.18.0 (for 4.x deployments) or 5.10.0 (for 5.x deployments), which resolve this issue by restricting or removing dataUrl() from the Twig sandbox allowlist. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55792 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy