CVE-2026-28783

Name of the Vulnerable Software and Affected Versions Craft versions prior to 5.9.0 Craft versions prior to 4.17.0

Description Craft is a content management system (CMS). The system uses a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. Several PHP functions were not included in this blocklist, potentially allowing malicious actors with the required permissions to execute payloads, including remote code execution (RCE), arbitrary file reads, server-side request forgery (SSRF), and server-side template injection (SSTI). To successfully exploit this, an attacker needs to have allowAdminChanges enabled on production, a compromised admin account, or an account with access to the System Messages utility. Twig has deprecated the behavior that allowed this, and it will eventually be removed from Twig altogether.

Recommendations Versions prior to 5.9.0 should be updated to version 5.9.0. Versions prior to 4.17.0 should be updated to version 4.17.0 and the enableTwigSandbox config setting should be enabled.