CVE-2026-28695
Published: 04 March 2026
Summary
CVE-2026-28695 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Craftcms Craft Cms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI in public-facing Craft CMS web app directly enables T1221 (Template Injection) for RCE; maps to T1190 (Exploit Public-Facing Application) as the attack vector.
NVD Description
Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which…
more
allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Deeper analysisAI
Craft CMS, a popular content management system, is affected by CVE-2026-28695, an authenticated remote code execution (RCE) vulnerability with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The issue stems from server-side template injection (SSTI) in version 5.8.21, where the create() Twig function exposes Craft::createObject(). This allows instantiation of arbitrary PHP classes with constructor arguments, which, when combined with the bundled symfony/process dependency, enables a gadget chain for RCE. The vulnerability is linked to CWE-1336 (Incorrect Handling of Syntactic Elements) and bypasses the mitigation for the related CVE-2025-57811, which was addressed in Craft CMS 5.8.7.
An attacker with authenticated administrator privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious Twig templates that leverage the create() function and symfony/process components, the attacker can execute arbitrary code on the server, potentially leading to full compromise including high confidentiality, integrity, and availability impacts.
The Craft CMS security advisory (GHSA-94rc-cqvm-m4pw) and associated commit (e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0) detail the fix, which is available in versions 5.9.0-beta.1 and 4.17.0-beta.1. Security practitioners should urge users to update to these patched releases immediately, as the vulnerability circumvents prior protections.
Details
- CWE(s)