CVE-2026-28784
Published: 04 March 2026
Summary
CVE-2026-28784 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Craftcms Craft Cms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE in public-facing Craft CMS via Twig payload in admin/system utilities directly enables T1190 (exploit public-facing app) and T1068 (priv esc from limited admin/utility access to full code exec).
NVD Description
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or…
more
using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.
Deeper analysisAI
CVE-2026-28784 is a remote code execution (RCE) vulnerability in Craft, a content management system (CMS). It affects versions prior to 5.8.22 and 4.16.18, stemming from the ability to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or via the System Messages utility.
Exploitation requires administrator access to the Craft Control Panel with allowAdminChanges enabled, which is against recommendations for non-development environments. Alternatively, a non-administrator account with access to the System Messages utility can exploit it. Successful attacks enable RCE, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and association to CWE-1336.
To mitigate, users should update to the patched versions 5.8.22 or 4.16.18. Advisories emphasize setting allowAdminChanges to false in production, as detailed in the Craft knowledge base article at https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production, the GitHub pull request at https://github.com/craftcms/cms/pull/18208, and the security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww.
Details
- CWE(s)