CVE-2026-28784

Name of the Vulnerable Software and Affected Versions Craft versions prior to 5.8.22 Craft versions prior to 4.16.18

Description Craft, a content management system (CMS), is susceptible to Remote Code Execution (RCE) through a Server-Side Template Injection (SSTI) issue. A malicious payload can be crafted using the Twig map filter within text fields that accept Twig input. This is possible in the Settings section of the Craft control panel or through the System Messages utility. To successfully exploit this, an attacker must have administrator access to the Craft Control Panel with the allowAdminChanges setting enabled, or a non-administrator account with allowAdminChanges disabled but access to the System Messages utility. The allowAdminChanges setting controls whether non-administrator users can modify settings within the Craft control panel.

Recommendations Craft versions prior to 5.8.22 should be updated to version 5.8.22. Craft versions prior to 4.16.18 should be updated to version 4.16.18.