PT-2026-54860 · Craft Cms · Craft Cms
Smakarim
·
Published
2026-07-01
·
Updated
2026-07-06
·
CVE-2026-55792
CVSS v4.0
6.0
Medium
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Craft CMS versions 4.0.0-RC1 through 4.17.9
Craft CMS versions 5.0.0-RC1 through 5.9.9
Description
Control panel users with the
utility:system-messages permission can embed a file-reading payload into system email templates because the dataUrl() Twig function is included in the Twig sandbox allowlist. When these emails are dispatched, the server reads the specified file and returns its contents as a base64-encoded data URL within the email body. This allows for the exfiltration of the .env file, which contains sensitive information such as the database password, CRAFT SECURITY KEY, and third-party API keys. Access to the CRAFT SECURITY KEY allows an attacker to forge session tokens and achieve full administrative account takeover.Recommendations
Update to version 4.18.0.
Update to version 5.10.0.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craft Cms