PT-2026-54862 · Craft Cms · Craft Cms

Angrybrad

·

Published

2026-07-01

·

Updated

2026-07-06

·

CVE-2026-55794

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.9.0 through 5.9.x
Description Control panel users with entry editing permissions can execute unsandboxed Twig code, which may lead to authenticated Remote Code Execution (RCE). The issue occurs during the entry saving process when strings for a signed redirect URL are compiled as a Twig template using the renderObjectTemplate() function instead of the sandboxed renderSandboxedObjectTemplate() alternative. This signed URL is derived from the Referer HTTP request header, which can be manipulated by an attacker.
Recommendations Update to version 5.10.0.

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55794
GHSA-F74W-488G-8X5R

Affected Products

Craft Cms