Andreisss

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 5.8.21 Craft CMS versions prior to 4.17.0-beta.1 Craft CMS versions prior to 5.9.0-beta.1 **Description** Craft CMS contains an authenticated Remote Code Execution (RCE) issue. This occurs through Server-Side Template Injection utilizing the `create()` Twig function in conjunction with a Symfony Process gadget chain. The `create()` Twig function exposes `Craft::createObject()`, which allows the instantiation of arbitrary PHP classes with constructor arguments. When combined with the `symfony/process` dependency, this enables RCE. The issue bypasses a previous fix for CVE-2025-57811. The vulnerability is triggered through the Title Format field in the admin panel (Settings → Entry Types). A proof-of-concept payload involves using the `create()` function to instantiate a `SymfonyComponentProcessProcess` object and executing a command via `p.mustRun.getOutput()`. Successful exploitation allows for full server compromise, as the code executes with the web server user's privileges. The root cause is the ability to instantiate any class, including `SymfonyComponentProcessProcess`, which then executes shell commands. **Recommendations** Craft CMS versions prior to 4.17.0-beta.1 should be updated to version 4.17.0-beta.1 or later. Craft CMS versions prior to 5.9.0-beta.1 should be updated to version 5.9.0-beta.1 or later. As a temporary workaround, consider blocking dangerous classes in `createObject()` when called from Twig. As a temporary workaround, consider removing or restricting the `create()` Twig function. As a temporary workaround, consider validating class names against an allowlist.