Unsandboxed Twig Code Execution in Craft CMS
CVE-2026-55794
8.7HIGH
What is CVE-2026-55794?
In Craft CMS versions 5.9.0 and above prior to 5.10.0, an issue allows control panel users who can edit entries to execute unsandboxed Twig code through the HTTP Referrer header. Specifically, when users save entries, a signed redirect URL can be specified and is compiled as a Twig template via the renderObjectTemplate() function. This poses a risk as the control over the 'Referer' HTTP request header allows attackers to exploit this functionality, leading to potential authenticated remote code execution (RCE). The vulnerability has been corrected in version 5.10.0.
Affected Version(s)
cms >= 5.9.0, < 5.10.0
