CVE-2026-28783
Published: 04 March 2026
Summary
CVE-2026-28783 is a critical-severity Code Injection (CWE-94) vulnerability in Craftcms Craft Cms. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely remediation of the incomplete PHP function blocklist through patching to fixed Craft CMS versions 5.9.0-beta.1 or 4.17.0-beta.1.
Enforces least privilege to restrict access to administrator accounts or the System Messages utility, blocking exploitation prerequisites.
Mandates secure configuration settings, such as disabling allowAdminChanges in production, to eliminate one key exploitation condition.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The incomplete PHP function blocklist in Twig templates directly enables code injection leading to RCE (and related impacts like file read/SSRF) on a public-facing Craft CMS application, mapping to T1190 for exploitation of the web app and T1059 for resulting command/script execution via dangerous PHP functions (e.g., system/exec equivalents).
NVD Description
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this…
more
attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Deeper analysisAI
Craft CMS, a content management system, is affected by CVE-2026-28783 in versions prior to 5.9.0-beta.1 and 4.17.0-beta.1. The vulnerability stems from an incomplete blocklist designed to prevent dangerous PHP functions from being invoked via Twig non-Closure arrow functions. Several PHP functions are omitted from this blocklist, enabling the execution of malicious payloads when certain conditions are met.
Exploitation requires either the allowAdminChanges setting enabled in production environments, a compromised administrator account, or an account with access to the System Messages utility. Attackers with these privileges can leverage the flaw to execute various payloads, including remote code execution (RCE), arbitrary file reads, server-side request forgery (SSRF), and server-side template injection (SSTI). The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is associated with CWEs-94 (Code Injection), CWE-184 (Incomplete List of Disallowed Inputs), and CWE-1336 (Improper Neutralization of Special Elements).
The vulnerability is addressed in Craft CMS versions 5.9.0-beta.1 and 4.17.0-beta.1, which update the blocklist to include the missing PHP functions. Official mitigation details are available in the Craft CMS security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4 and the corresponding pull request at https://github.com/craftcms/cms/pull/18208, recommending immediate upgrades for affected installations.
Details
- CWE(s)