CVE-2026-28784
HIGHCraft CMS 4.0.0-4.16.18 - Authenticated Remote Code Execution via Twig Map Filter
Title source: llmDescription
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww
Issue Tracking x_refsource_misc
https://github.com/craftcms/cms/pull/18208
Various Sources x_refsource_misc
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Scores
CVSS v3
7.2
EPSS
0.0051
EPSS Percentile
39.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1336
Status
published
Products (3)
craftcms/craft_cms
4.0.0 (4 CPE variants)
craftcms/craft_cms
5.0.0 (2 CPE variants)
craftcms/craft_cms
4.0.0 - 4.17.0
Published
Mar 04, 2026
Tracked Since
Mar 05, 2026