CVE-2026-28695

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.8.21 Craft CMS versions prior to 4.17.0-beta.1 Craft CMS versions prior to 5.9.0-beta.1

Description Craft CMS contains an authenticated Remote Code Execution (RCE) issue. This occurs through Server-Side Template Injection utilizing the create() Twig function in conjunction with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows the instantiation of arbitrary PHP classes with constructor arguments. When combined with the symfony/process dependency, this enables RCE. The issue bypasses a previous fix for CVE-2025-57811. The vulnerability is triggered through the Title Format field in the admin panel (Settings → Entry Types). A proof-of-concept payload involves using the create() function to instantiate a SymfonyComponentProcessProcess object and executing a command via p.mustRun.getOutput(). Successful exploitation allows for full server compromise, as the code executes with the web server user's privileges. The root cause is the ability to instantiate any class, including SymfonyComponentProcessProcess, which then executes shell commands.

Recommendations Craft CMS versions prior to 4.17.0-beta.1 should be updated to version 4.17.0-beta.1 or later. Craft CMS versions prior to 5.9.0-beta.1 should be updated to version 5.9.0-beta.1 or later. As a temporary workaround, consider blocking dangerous classes in createObject() when called from Twig. As a temporary workaround, consider removing or restricting the create() Twig function. As a temporary workaround, consider validating class names against an allowlist.