Cyber Resilience

CVE-2026-28784

High

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0051 39.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28784 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28784 is a remote code execution (RCE) vulnerability in Craft, a content management system (CMS). It affects versions prior to 5.8.22 and 4.16.18, stemming from the ability to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or via the System Messages utility.

Exploitation requires administrator access to the Craft Control Panel with allowAdminChanges enabled, which is against recommendations for non-development environments. Alternatively, a non-administrator account with access to the System Messages utility can exploit it. Successful attacks enable RCE, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and association to CWE-1336.

To mitigate, users should update to the patched versions 5.8.22 or 4.16.18. Advisories emphasize setting allowAdminChanges to false in production, as detailed in the Craft knowledge base article at https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production, the GitHub pull request at https://github.com/craftcms/cms/pull/18208, and the security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww.

EU & UK References

Vulnerability details

Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or…

more

using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

RCE in public-facing Craft CMS via Twig payload in admin/system utilities directly enables T1190 (exploit public-facing app) and T1068 (priv esc from limited admin/utility access to full code exec).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-68454Same product: Craftcms Craft Cms
CVE-2026-28695Same product: Craftcms Craft Cms
CVE-2026-28697Same product: Craftcms Craft Cms
CVE-2026-32267Same product: Craftcms Craft Cms
CVE-2026-31857Same product: Craftcms Craft Cms
CVE-2026-25497Same product: Craftcms Craft Cms
CVE-2026-28783Same product: Craftcms Craft Cms
CVE-2026-25498Same product: Craftcms Craft Cms
CVE-2026-25495Same product: Craftcms Craft Cms
CVE-2025-68455Same product: Craftcms Craft Cms

Affected Assets

craftcms
craft cms
4.0.0, 5.0.0 · 4.0.0 — 4.17.0 · 5.0.0 — 5.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches (5.8.22/4.16.18) that close the Twig map-filter RCE vector.

prevent

Enforces the documented secure setting of allowAdminChanges=false in production, blocking the described admin-panel exploitation path.

prevent

Limits accounts that can reach the System Messages utility or Settings pages, reducing the number of principals able to supply malicious Twig payloads.

References