PT-2026-54862 · Craft Cms · Craft Cms
Angrybrad
·
Published
2026-07-01
·
Updated
2026-07-06
·
CVE-2026-55794
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Craft CMS versions 5.9.0 through 5.9.x
Description
Control panel users with entry editing permissions can execute unsandboxed Twig code, which may lead to authenticated Remote Code Execution (RCE). The issue occurs during the entry saving process when strings for a signed redirect URL are compiled as a Twig template using the
renderObjectTemplate() function instead of the sandboxed renderSandboxedObjectTemplate() alternative. This signed URL is derived from the Referer HTTP request header, which can be manipulated by an attacker.Recommendations
Update to version 5.10.0.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Craft Cms