File Reading Vulnerability in Craft CMS Affects User Control Panels
CVE-2026-55792
What is CVE-2026-55792?
Craft CMS contains a vulnerability that allows users with the utility:system-messages permission to exploit the dataUrl() function within the CMS's Twig sandbox. This issue permits the embedding of a file-reading payload into system email templates. When such emails are sent, the server reads the contents of targeted files, including sensitive information from the .env file, and embeds it as a base64-encoded data URL in the email body. This can expose critical data such as the database password and CRAFT_SECURITY_KEY. If an attacker obtains the CRAFT_SECURITY_KEY, they can forge session tokens, potentially leading to full administrative takeover of the affected Craft CMS instance. This vulnerability has been remediated in versions 4.18.0 and 5.10.0.
Affected Version(s)
cms >= 4.0.0-RC1, < 4.18.0 < 4.0.0-RC1, 4.18.0
cms >= 5.0.0-RC1, < 5.10.0 < 5.0.0-RC1, 5.10.0
