Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible exploit via email template rendering (AV:N), low-privilege control panel permission required (PR:L), scope unchanged as impact remains within the CMS application boundary (S:U), full confidentiality loss from unrestricted .env file read (C:H).
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its contents as a base64-encoded data URL embedded in the email body. The .env file, which typically contains the database password, CRAFT_SECURITY_KEY, and third-party API keys, passes all of Craft’s existing dataUrl() protection checks and is fully exfiltrated. Obtaining CRAFT_SECURITY_KEY enables an attacker to forge session tokens and escalate to full admin account takeover. This issue has been fixed in versions 4.18.0 and 5.10.0.
AnalysisAI
Server-side file exfiltration in Craft CMS versions 4.0.0-RC1 through 4.17.x and 5.0.0-RC1 through 5.9.x allows any control panel user granted the utility:system-messages permission to embed a dataUrl() Twig payload into system email templates, causing the server to read and base64-encode arbitrary files - including the .env file - into outbound email bodies. Exfiltration of CRAFT_SECURITY_KEY from the .env file enables an attacker to forge valid session tokens and escalate to full administrator account takeover, chaining a confidentiality breach into complete privilege escalation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concurrent conditions: first, the attacker must have authenticated access to the Craft CMS control panel (a valid user account); second, the utility:system-messages permission must be explicitly delegated to that user or their group by an administrator - this is not a default permission and must be intentionally granted. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.0 (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N) is technically accurate but understates the operational risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has been granted the utility:system-messages permission in Craft CMS - for example, a trusted content editor or marketing team member - edits a system email template to include a dataUrl('/var/www/html/.env') call, then triggers a test or legitimate send of that email to an address they control. Craft's email renderer executes dataUrl() server-side, reads the .env file, and embeds the full base64-encoded contents in the email body; the attacker decodes the payload, extracts CRAFT_SECURITY_KEY, and uses it to forge a session cookie for an administrator account, achieving full CMS control. … |
| Remediation | Upgrade to Craft CMS 4.18.0 (for 4.x deployments) or 5.10.0 (for 5.x deployments), which resolve this issue by restricting or removing dataUrl() from the Twig sandbox allowlist. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41212
GHSA-287w-mxq6-x2cp