File Reading Vulnerability in Craft CMS Affects User Control Panels
CVE-2026-55792

6MEDIUM

Key Information:

Vendor

Craftcms

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-55792?

Craft CMS contains a vulnerability that allows users with the utility:system-messages permission to exploit the dataUrl() function within the CMS's Twig sandbox. This issue permits the embedding of a file-reading payload into system email templates. When such emails are sent, the server reads the contents of targeted files, including sensitive information from the .env file, and embeds it as a base64-encoded data URL in the email body. This can expose critical data such as the database password and CRAFT_SECURITY_KEY. If an attacker obtains the CRAFT_SECURITY_KEY, they can forge session tokens, potentially leading to full administrative takeover of the affected Craft CMS instance. This vulnerability has been remediated in versions 4.18.0 and 5.10.0.

Affected Version(s)

cms >= 4.0.0-RC1, < 4.18.0 < 4.0.0-RC1, 4.18.0

cms >= 5.0.0-RC1, < 5.10.0 < 5.0.0-RC1, 5.10.0

References

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.