Remote Code Execution Vulnerability in Craft CMS by Craft
CVE-2026-28784

8.6HIGH

Key Information:

Vendor

Craftcms

Status
Cms
Vendor
CVE Published:
4 March 2026

What is CVE-2026-28784?

Craft CMS versions prior to 5.8.22 and 4.16.18 allow potential exploitation through the Twig map filter in text fields that accept Twig input within the Craft control panel or the System Messages utility. An attacker with administrator access could craft a malicious payload that triggers remote code execution, especially if 'allowAdminChanges' is enabled. Although a non-administrator could also exploit this if provided access to the System Messages utility, it is highly discouraged to enable 'allowAdminChanges' in production environments. Users are highly recommended to upgrade to versions 5.8.22 and 4.16.18 to effectively mitigate the risk.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.9.0-beta.1 < 5.0.0-RC1, 5.9.0-beta.1

cms >= 4.0.0-RC1, < 4.17.0-beta.1 < 4.0.0-RC1, 4.17.0-beta.1

References

https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/craftcms/cms/pull/18208
x_refsource_MISC
https://craftcms.com/knowledge-base/securing-craft#set-al...
x_refsource_MISC

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.