CVE-2026-28783
CRITICAL EPSS 36.8%
Published Mar 4, 20263mo ago · Modified Jun 17, 20261w ago
9.4 CVSS 4.0
Published Mar 4, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago
Description
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
36.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 3
CWE-1336
CWE-184
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
Affected Products 8
References 2
- github.com https://github.com/craftcms/cms/pull/18208
- github.com https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4
Remediation
- github.com https://github.com/craftcms/cms/pull/18208
- github.com https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4