PT-2026-54860 · Craft Cms · Craft Cms

Smakarim

·

Published

2026-07-01

·

Updated

2026-07-06

·

CVE-2026-55792

CVSS v4.0

6.0

Medium

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.9 Craft CMS versions 5.0.0-RC1 through 5.9.9
Description Control panel users with the utility:system-messages permission can embed a file-reading payload into system email templates because the dataUrl() Twig function is included in the Twig sandbox allowlist. When these emails are dispatched, the server reads the specified file and returns its contents as a base64-encoded data URL within the email body. This allows for the exfiltration of the .env file, which contains sensitive information such as the database password, CRAFT SECURITY KEY, and third-party API keys. Access to the CRAFT SECURITY KEY allows an attacker to forge session tokens and achieve full administrative account takeover.
Recommendations Update to version 4.18.0. Update to version 5.10.0.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55792
GHSA-287W-MXQ6-X2CP

Affected Products

Craft Cms