Craft is affected by potential authenticated Remote Code Execution via Twig SSTI
Description
Craft is a content management system (CMS). Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to work, you must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against our recommendations for any non-dev environment. Alternatively, you can have a non-administrator account with allowAdminChanges disabled, but you have access to the System Messages utility. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS prior to 5.8.22 and 4.16.18 allows authenticated RCE via a malicious Twig map filter payload in Settings or System Messages.
Vulnerability
Overview
Craft CMS versions prior to 5.8.22 and 4.16.18 contain a server-side template injection (SSTI) vulnerability that can lead to remote code execution (RCE). The flaw resides in the Twig map filter, which can be abused when processing Twig input in certain administrative text fields. Specifically, an attacker can craft a malicious payload using the map filter within the Settings area of the Craft control panel or via the System Messages utility [1][2].
Exploitation
Prerequisites
Exploitation requires authenticated access to the Craft control panel. Two attack scenarios exist: an administrator account with allowAdminChanges enabled (which is discouraged for non-development environments), or a non-administrator account that has access to the System Messages utility even when allowAdminChanges is disabled [2][4]. The allowAdminChanges setting is a security hardening measure that, when set to false, prevents changes to system settings via the control panel [1].
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary code on the server. This could lead to full compromise of the Craft CMS installation, including data exfiltration, modification of content, or further lateral movement within the hosting environment [2][4].
Mitigation
The Craft CMS team has released patched versions 5.8.22 and 4.16.18 to address this vulnerability. Users are strongly advised to update immediately. Additionally, following security best practices such as disabling allowAdminChanges in production environments and restricting access to the System Messages utility can reduce the attack surface [1][2][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.9.0-beta.1 | 5.9.0-beta.1 |
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.17.0-beta.1 | 4.17.0-beta.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-qc86-q28f-ggwwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28784ghsaADVISORY
- craftcms.com/knowledge-base/securing-craftghsax_refsource_MISCWEB
- github.com/craftcms/cms/pull/18208ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-qc86-q28f-ggwwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.