CVE-2026-28697

Name of the Vulnerable Software and Affected Versions Craft CMS versions prior to 4.17.0-beta.1 and 5.9.0-beta.1

Description Craft is a content management system (CMS). An authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields, such as Email Templates. By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via a browser to execute arbitrary system commands. The vulnerability also allows for the disclosure of sensitive information, including database credentials and the security key, through access to craft.app properties.

Recommendations Update Craft CMS to version 4.17.0-beta.1 or later. Update Craft CMS to version 5.9.0-beta.1 or later.