Vulnerability Description
Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Cms | < 4.17.0 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0Patch
- https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pwExploitMitigationPatch
FAQ
What is CVE-2026-28695?
CVE-2026-28695 is a vulnerability with a CVSS score of 7.2 (HIGH). Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process ...
How severe is CVE-2026-28695?
CVE-2026-28695 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28695?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.