{
  "schema_version": "1.4.0",
  "id": "GHSA-94rc-cqvm-m4pw",
  "modified": "2026-03-04T18:38:42Z",
  "published": "2026-03-03T20:30:36Z",
  "aliases": [
    "CVE-2026-28695"
  ],
  "summary": "Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget",
  "details": "There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain.\n\nThis bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).\n\n## Required Permissions\n\n- Administrator permissions or access to System Messages utility\n- `allowAdminChanges` enabled in production ([against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production))  or access to System Messages utility\n\n## Vulnerability Details\nThe `create()` Twig function exposes `Craft::createObject()`, which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled `symfony/process` dependency, this enables RCE.\n\n## Attack Vector\nAdmin panel → Settings → Entry Types → Title Format field\n\n## Proof of Concept Payload\n\n```\n{% set p = create(\"Symfony\\\\Component\\\\Process\\\\Process\", [[\"id\"]])\n%}{{ p.mustRun.getOutput }}\n```\n\n## Steps to Reproduce\n1. Log in as admin\n2. Navigate to Settings → Entry Types\n3. Edit any entry type’s \"Title Format\" field\n4. Insert the payload above\n5. Create/edit an entry of that type\n6. Command executes, output appears in entry title\n\n## Impact\n- Authenticated Remote Code Execution\n- Runs as web server user (root in default Docker setup)\n- Full server compromise\n\n## Root Cause\nCraft::createObject() allows the instantiation of any class, including\n`Symfony\\Component\\Process\\Process`, which executes shell commands.\n\n## Suggested Fix\n\n- Blocklist dangerous classes in createObject() when called from Twig\n- Or remove/restrict the create() Twig function\n- Or validate class names against an allowlist\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0",
  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "5.8.7"
            },
            {
              "fixed": "5.9.0-beta.1"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "4.0.0-RC1"
            },
            {
              "fixed": "4.17.0-beta.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-94rc-cqvm-m4pw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28695"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-22",
      "CWE-94"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T20:30:36Z",
    "nvd_published_at": "2026-03-04T17:16:20Z"
  }
}