CVE-2026-28784
Craft CMS has potential authenticated Remote Code Execution via Twig SSTI
描述
For this to work, the attacker must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production Alternatively, they can have a non-administrator account with `allowAdminChanges` disabled, but they must have access to the System Messages utility. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.22 and 4.16.18) to mitigate the issue. References: https://github.com/craftcms/cms/pull/18208
如何修補 CVE-2026-28784
要修補 CVE-2026-28784,請將受影響套件升級到下列已修補版本。
- —升級至 5.9.0-beta.1 或更新版本
CVE-2026-28784 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 5.0.0-RC1, < 5.9.0-beta.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |