Server-Side Template Injection in Craft CMS Affects Remote Code Execution
CVE-2026-28697

9.4CRITICAL

Key Information:

Vendor

Craftcms

Status
Cms
Vendor
CVE Published:
4 March 2026

What is CVE-2026-28697?

Craft CMS prior to version 4.17.0-beta.1 and 5.9.0-beta.1 is susceptible to a Server-Side Template Injection (SSTI) vulnerability. An authenticated administrator can exploit this flaw by injecting a malicious payload into Twig template fields, such as Email Templates. This enables the attacker to invoke the craft.app.fs.write() method, allowing them to write and deploy a harmful PHP script in a directory accessible over the web. Once the script is executed through a web browser, the attacker gains the ability to execute arbitrary system commands, potentially jeopardizing the security of affected systems.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

cms >= 5.0.0-RC1, < 5.9.0-beta.1 < 5.0.0-RC1, 5.9.0-beta.1

cms >= 4.0.0-RC1, < 4.17.0-beta.1 < 4.0.0-RC1, 4.17.0-beta.1

References

https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/craftcms/cms/pull/18216
x_refsource_MISC
https://github.com/craftcms/cms/pull/18219
x_refsource_MISC

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.