VYPR
Moderate severityNVD Advisory· Published Mar 4, 2026· Updated Mar 6, 2026

Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget

CVE-2026-28695

Description

Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/cmsPackagist
>= 5.8.7, < 5.9.0-beta.15.9.0-beta.1
craftcms/cmsPackagist
>= 4.0.0-RC1, < 4.17.0-beta.14.17.0-beta.1

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.