Moderate severityNVD Advisory· Published Mar 4, 2026· Updated Mar 6, 2026
Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
CVE-2026-28695
Description
Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.8.7, < 5.9.0-beta.1 | 5.9.0-beta.1 |
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.17.0-beta.1 | 4.17.0-beta.1 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-94rc-cqvm-m4pwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28695ghsaADVISORY
- github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.