CVE-2026-28697
CRITICALCraft CMS <4.17.0-beta.1/5.9.0-beta.1 - RCE
Title source: llmDescription
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Scores
CVSS v3
9.1
EPSS
0.0038
EPSS Percentile
59.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Classification
CWE
CWE-1336
Status
published
Affected Products (7)
craftcms/craft_cms
< 4.17.0
craftcms/craft_cms
craftcms/craft_cms
craftcms/craft_cms
craftcms/craft_cms
craftcms/craft_cms
craftcms/craft_cms
Timeline
Published
Mar 04, 2026
Tracked Since
Mar 05, 2026