Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
Craft CMS: Unpatched Sites at Risk of Hacker Takeover
CVE-2026-28784
GHSA-qc86-q28f-ggww
Summary
If your Craft CMS site is not fully patched, an attacker with admin access or a specific type of user account could potentially take control of your site. To protect your site, update to the latest version of Craft CMS, specifically 5.8.22 or 4.16.18.
What to do
- Update craftcms cms to version 5.9.0-beta.1.
- Update craftcms cms to version 4.17.0-beta.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| craftcms | cms | > 5.0.0-RC1 , <= 5.9.0-beta.1 | 5.9.0-beta.1 |
| craftcms | cms | > 4.0.0-RC1 , <= 4.17.0-beta.1 | 4.17.0-beta.1 |
| craftcms | craft_cms | > 4.0.0 , <= 4.17.0 | – |
| craftcms | craft_cms | > 5.0.0 , <= 5.9.0 | – |
| craftcms | craft_cms | 4.0.0 | – |
| craftcms | craft_cms | 4.0.0 | – |
| craftcms | craft_cms | 4.0.0 | – |
| craftcms | craft_cms | 4.0.0 | – |
| craftcms | craft_cms | 5.0.0 | – |
| craftcms | craft_cms | 5.0.0 | – |
Original title
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
Original description
For this to work, the attacker must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled, which is against Craft CMS' recommendations for any non-dev environment.
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Alternatively, they can have a non-administrator account with `allowAdminChanges` disabled, but they must have access to the System Messages utility.
It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.
Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.
References:
https://github.com/craftcms/cms/pull/18208
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Alternatively, they can have a non-administrator account with `allowAdminChanges` disabled, but they must have access to the System Messages utility.
It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE.
Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.
References:
https://github.com/craftcms/cms/pull/18208
nvd CVSS3.1
7.2
nvd CVSS4.0
8.6
Vulnerability type
CWE-1336
- https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-fals... Technical Description
- https://github.com/craftcms/cms/pull/18208 Issue Tracking Patch
- https://github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggww Patch Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-28784
- https://github.com/advisories/GHSA-qc86-q28f-ggww
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026