GHSA-94RC-CQVM-M4PW
Vulnerability from github – Published: 2026-03-03 20:30 – Updated: 2026-03-04 18:38
VLAI?
Summary
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
Details
There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain.
This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).
Required Permissions
- Administrator permissions or access to System Messages utility
allowAdminChangesenabled in production (against our security recommendations) or access to System Messages utility
Vulnerability Details
The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE.
Attack Vector
Admin panel → Settings → Entry Types → Title Format field
Proof of Concept Payload
{% set p = create("Symfony\\Component\\Process\\Process", [["id"]])
%}{{ p.mustRun.getOutput }}
Steps to Reproduce
- Log in as admin
- Navigate to Settings → Entry Types
- Edit any entry type’s "Title Format" field
- Insert the payload above
- Create/edit an entry of that type
- Command executes, output appears in entry title
Impact
- Authenticated Remote Code Execution
- Runs as web server user (root in default Docker setup)
- Full server compromise
Root Cause
Craft::createObject() allows the instantiation of any class, including
Symfony\Component\Process\Process, which executes shell commands.
Suggested Fix
- Blocklist dangerous classes in createObject() when called from Twig
- Or remove/restrict the create() Twig function
- Or validate class names against an allowlist
Resources
https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.8.7"
},
{
"fixed": "5.9.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-RC1"
},
{
"fixed": "4.17.0-beta.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28695"
],
"database_specific": {
"cwe_ids": [
"CWE-1336",
"CWE-22",
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T20:30:36Z",
"nvd_published_at": "2026-03-04T17:16:20Z",
"severity": "MODERATE"
},
"details": "There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain.\n\nThis bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).\n\n## Required Permissions\n\n- Administrator permissions or access to System Messages utility\n- `allowAdminChanges` enabled in production ([against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production)) or access to System Messages utility\n\n## Vulnerability Details\nThe `create()` Twig function exposes `Craft::createObject()`, which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled `symfony/process` dependency, this enables RCE.\n\n## Attack Vector\nAdmin panel \u2192 Settings \u2192 Entry Types \u2192 Title Format field\n\n## Proof of Concept Payload\n\n```\n{% set p = create(\"Symfony\\\\Component\\\\Process\\\\Process\", [[\"id\"]])\n%}{{ p.mustRun.getOutput }}\n```\n\n## Steps to Reproduce\n1. Log in as admin\n2. Navigate to Settings \u2192 Entry Types\n3. Edit any entry type\u2019s \"Title Format\" field\n4. Insert the payload above\n5. Create/edit an entry of that type\n6. Command executes, output appears in entry title\n\n## Impact\n- Authenticated Remote Code Execution\n- Runs as web server user (root in default Docker setup)\n- Full server compromise\n\n## Root Cause\nCraft::createObject() allows the instantiation of any class, including\n`Symfony\\Component\\Process\\Process`, which executes shell commands.\n\n## Suggested Fix\n\n- Blocklist dangerous classes in createObject() when called from Twig\n- Or remove/restrict the create() Twig function\n- Or validate class names against an allowlist\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0",
"id": "GHSA-94rc-cqvm-m4pw",
"modified": "2026-03-04T18:38:42Z",
"published": "2026-03-03T20:30:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28695"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…