Skip to main content

Craft CMS CVE-2026-55794

| EUVDEUVD-2026-41213 HIGH
Code Injection (CWE-94)
2026-07-02 security-advisories@github.com GHSA-f74w-488g-8x5r
8.7
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable entry-save flow with low complexity, but requires an authenticated entry-editing account (PR:L); code execution yields full high C/I/A on the host, scope unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 23:01 EUVD
Analysis Generated
Jul 02, 2026 - 00:29 vuln.today

DescriptionCVE.org

Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries. Strings for a signed redirect URL are being compiled as a Twig template via renderObjectTemplate(), and while a sandboxed alternative already exists (renderSandboxedObjectTemplate()), it is not used in this case. This signed URL can be specified by users, as it is reflected in the “Referer” HTTP request header, which is under attacker control. This issue has been fixed in version 5.10.0.

AnalysisAI

Authenticated remote code execution in Craft CMS 5.9.0 through 5.9.x allows control panel users with entry-editing permissions to inject unsandboxed Twig code via the HTTP Referer header during entry save operations. Because the signed redirect URL derived from the attacker-controlled Referer is compiled with renderObjectTemplate() instead of the sandboxed renderSandboxedObjectTemplate(), a low-privileged CMS operator can achieve server-side template injection leading to code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to control panel as entry editor
Delivery
Craft malicious Twig payload in Referer header
Exploit
Submit entry-save request
Execution
renderObjectTemplate() compiles signed URL unsandboxed
Persist
Injected Twig executes on server
Impact
Achieve authenticated RCE

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Craft CMS control panel user who possesses the 'edit entries' permission (PR:L), and the malicious payload must be delivered in the HTTP Referer header of a request that triggers the entry-save flow, where the signed redirect URL is compiled via renderObjectTemplate(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N with high vulnerable-system confidentiality, integrity, and availability impact) reflects a network-reachable, low-complexity attack that nonetheless requires low-level privileges (PR:L) - specifically an authenticated control panel account with entry-edit rights - and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds (or has phished/compromised) a low-privilege Craft control panel account with entry-editing permission crafts a malicious Referer header containing Twig code and triggers an entry save, causing the injected template expression to be compiled and executed unsandboxed on the server. Because the attack is network-based with low complexity and no user interaction, a single authenticated request can yield code execution. …
Remediation Vendor-released patch: upgrade to Craft CMS 5.10.0, which replaces the unsandboxed renderObjectTemplate() call with the sandboxed alternative in the entry-save redirect handling; this is the primary and complete fix (advisory: https://github.com/craftcms/cms/security/advisories/GHSA-f74w-488g-8x5r, code change: https://github.com/craftcms/cms/pull/18680). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Craft CMS instances; identify systems running 5.9.0-5.9.x and audit which users hold entry-editing permissions in the control panel. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy