Unsandboxed Twig Code Execution in Craft CMS
CVE-2026-55794

8.7HIGH

Key Information:

Vendor

Craftcms

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-55794?

In Craft CMS versions 5.9.0 and above prior to 5.10.0, an issue allows control panel users who can edit entries to execute unsandboxed Twig code through the HTTP Referrer header. Specifically, when users save entries, a signed redirect URL can be specified and is compiled as a Twig template via the renderObjectTemplate() function. This poses a risk as the control over the 'Referer' HTTP request header allows attackers to exploit this functionality, leading to potential authenticated remote code execution (RCE). The vulnerability has been corrected in version 5.10.0.

Affected Version(s)

cms >= 5.9.0, < 5.10.0

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.