Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable entry-save flow with low complexity, but requires an authenticated entry-editing account (PR:L); code execution yields full high C/I/A on the host, scope unchanged.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries. Strings for a signed redirect URL are being compiled as a Twig template via renderObjectTemplate(), and while a sandboxed alternative already exists (renderSandboxedObjectTemplate()), it is not used in this case. This signed URL can be specified by users, as it is reflected in the “Referer” HTTP request header, which is under attacker control. This issue has been fixed in version 5.10.0.
AnalysisAI
Authenticated remote code execution in Craft CMS 5.9.0 through 5.9.x allows control panel users with entry-editing permissions to inject unsandboxed Twig code via the HTTP Referer header during entry save operations. Because the signed redirect URL derived from the attacker-controlled Referer is compiled with renderObjectTemplate() instead of the sandboxed renderSandboxedObjectTemplate(), a low-privileged CMS operator can achieve server-side template injection leading to code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Craft CMS control panel user who possesses the 'edit entries' permission (PR:L), and the malicious payload must be delivered in the HTTP Referer header of a request that triggers the entry-save flow, where the signed redirect URL is compiled via renderObjectTemplate(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 8.7 (AV:N/AC:L/AT:N/PR:L/UI:N with high vulnerable-system confidentiality, integrity, and availability impact) reflects a network-reachable, low-complexity attack that nonetheless requires low-level privileges (PR:L) - specifically an authenticated control panel account with entry-edit rights - and no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds (or has phished/compromised) a low-privilege Craft control panel account with entry-editing permission crafts a malicious Referer header containing Twig code and triggers an entry save, causing the injected template expression to be compiled and executed unsandboxed on the server. Because the attack is network-based with low complexity and no user interaction, a single authenticated request can yield code execution. … |
| Remediation | Vendor-released patch: upgrade to Craft CMS 5.10.0, which replaces the unsandboxed renderObjectTemplate() call with the sandboxed alternative in the entry-save redirect handling; this is the primary and complete fix (advisory: https://github.com/craftcms/cms/security/advisories/GHSA-f74w-488g-8x5r, code change: https://github.com/craftcms/cms/pull/18680). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Craft CMS instances; identify systems running 5.9.0-5.9.x and audit which users hold entry-editing permissions in the control panel. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41213
GHSA-f74w-488g-8x5r