CVE-2026-28695
Published: 04 March 2026
Summary
CVE-2026-28695 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Craftcms Craft Cms. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Craft CMS, a popular content management system, is affected by CVE-2026-28695, an authenticated remote code execution (RCE) vulnerability with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The issue stems from server-side template injection (SSTI) in version 5.8.21, where the create() Twig function exposes Craft::createObject(). This allows instantiation of arbitrary PHP classes with constructor arguments, which, when combined with the bundled symfony/process dependency, enables a gadget chain for RCE. The vulnerability is linked to CWE-1336 (Incorrect Handling of Syntactic Elements) and bypasses the mitigation for the related CVE-2025-57811, which was addressed in Craft CMS 5.8.7.
An attacker with authenticated administrator privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious Twig templates that leverage the create() function and symfony/process components, the attacker can execute arbitrary code on the server, potentially leading to full compromise including high confidentiality, integrity, and availability impacts.
The Craft CMS security advisory (GHSA-94rc-cqvm-m4pw) and associated commit (e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0) detail the fix, which is available in versions 5.9.0-beta.1 and 4.17.0-beta.1. Security practitioners should urge users to update to these patched releases immediately, as the vulnerability circumvents prior protections.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9421
Vulnerability details
Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which…
more
allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI in public-facing Craft CMS web app directly enables T1221 (Template Injection) for RCE; maps to T1190 (Exploit Public-Facing Application) as the attack vector.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch (5.9.0-beta.1 / 4.17.0-beta.1) that eliminates the create() Twig exposure and gadget chain.
Enforces validation and sanitization of Twig template inputs to block the SSTI that instantiates arbitrary classes via Craft::createObject().
Restricts the CMS to least functionality by disabling or removing the create() Twig function and unused Symfony Process components that enable the RCE chain.