Cyber Resilience

CVE-2026-28695

HighPublic PoC

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 8.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28695 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Craftcms Craft Cms. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Craft CMS, a popular content management system, is affected by CVE-2026-28695, an authenticated remote code execution (RCE) vulnerability with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The issue stems from server-side template injection (SSTI) in version 5.8.21, where the create() Twig function exposes Craft::createObject(). This allows instantiation of arbitrary PHP classes with constructor arguments, which, when combined with the bundled symfony/process dependency, enables a gadget chain for RCE. The vulnerability is linked to CWE-1336 (Incorrect Handling of Syntactic Elements) and bypasses the mitigation for the related CVE-2025-57811, which was addressed in Craft CMS 5.8.7.

An attacker with authenticated administrator privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious Twig templates that leverage the create() function and symfony/process components, the attacker can execute arbitrary code on the server, potentially leading to full compromise including high confidentiality, integrity, and availability impacts.

The Craft CMS security advisory (GHSA-94rc-cqvm-m4pw) and associated commit (e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0) detail the fix, which is available in versions 5.9.0-beta.1 and 4.17.0-beta.1. Security practitioners should urge users to update to these patched releases immediately, as the vulnerability circumvents prior protections.

EU & UK References

Vulnerability details

Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which…

more

allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
Why these techniques?

SSTI in public-facing Craft CMS web app directly enables T1221 (Template Injection) for RCE; maps to T1190 (Exploit Public-Facing Application) as the attack vector.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68454Same product: Craftcms Craft Cms
CVE-2026-28697Same product: Craftcms Craft Cms
CVE-2026-28784Same product: Craftcms Craft Cms
CVE-2026-28783Same product: Craftcms Craft Cms
CVE-2025-23209Same product: Craftcms Craft Cms
CVE-2025-68455Same product: Craftcms Craft Cms
CVE-2026-25498Same product: Craftcms Craft Cms
CVE-2026-25495Same product: Craftcms Craft Cms
CVE-2026-28696Same product: Craftcms Craft Cms
CVE-2025-68456Same product: Craftcms Craft Cms

Affected Assets

craftcms
craft cms
4.0.0, 5.0.0 · 4.0.0 — 4.17.0 · 5.0.0 — 5.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch (5.9.0-beta.1 / 4.17.0-beta.1) that eliminates the create() Twig exposure and gadget chain.

prevent

Enforces validation and sanitization of Twig template inputs to block the SSTI that instantiates arbitrary classes via Craft::createObject().

prevent

Restricts the CMS to least functionality by disabling or removing the create() Twig function and unused Symfony Process components that enable the RCE chain.

References