Vulnerability Description
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Cms | < 4.17.0 |
Related Weaknesses (CWE)
References
- https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-falsTechnical Description
- https://github.com/craftcms/cms/pull/18208Issue TrackingPatch
- https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggwwPatchVendor Advisory
FAQ
What is CVE-2026-28784?
CVE-2026-28784 is a vulnerability with a CVSS score of 7.2 (HIGH). Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in t...
How severe is CVE-2026-28784?
CVE-2026-28784 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28784?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.