CVE-2026-28695— Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-28695
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
Source: NVD (National Vulnerability Database)
Vulnerability Description
Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1336
Source: NVD (National Vulnerability Database)
Vulnerability Title
Craft CMS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Craft CMS是Craft CMS开源的一套内容管理系统(CMS)。 Craft CMS 5.8.21版本存在安全漏洞,该漏洞源于通过create() Twig函数结合Symfony Process小工具链进行服务器端模板注入,可能导致远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-28695
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-28695
请登录查看更多情报信息。
Same Patch Batch · craftcms · 2026-03-04 · 8 CVEs total
| CVE-2026-28696 | Craft affected by IDOR via GraphQL @parseRefs | |
| CVE-2026-28697 | Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates | |
| CVE-2026-28781 | Craft Affected by Entries Authorship Spoofing via Mass Assignment | |
| CVE-2026-28782 | Craft has a Permission Bypass and IDOR in Duplicate Entry Action | |
| CVE-2026-29069 | Craft has an unauthenticated activation email trigger with potential user enumeration | |
| CVE-2026-28783 | Craft has a Twig Function Blocklist Bypass | |
| CVE-2026-28784 | Craft is affected by potential authenticated Remote Code Execution via Twig SSTI |
IV. Related Vulnerabilities
Same product: cms
- CVE-2026-7508
Bootstrap CMS Page Creation show.blade.php code injection - CVE-2026-7317
Grav CMS Cache Value FileCache.php doGet deserialization - CVE-2026-7016
MaxSite CMS ushki Plugin cross site scripting - CVE-2026-7015
MaxSite CMS Guestbook Plugin cross site scripting - CVE-2026-7014
MaxSite CMS down_count Plugin cross site scripting
Same vendor: craftcms
- CVE-2026-41130
Craft CMS has a host header injection leading to SSRF via re - CVE-2026-41129
Craft CMS has Server-Side Request Forgery (SSRF) with Asset - CVE-2026-41128
Craft CMS has a Missing Authorization Check on User Group Re - CVE-2026-32272
Craft Commerce: Blind SQL Injection via hasVariant/hasProduc - CVE-2026-32271
Craft Commerce: SQL Injection can lead to Remote Code Execut
Same weakness: CWE-1336
- CVE-2026-44129
Server-side template injection - CVE-2026-44916
OpenStack Ironic 安全漏洞 - CVE-2026-42203
LiteLLM: Server-Side Template Injection in /prompts/test end - CVE-2026-6984
AstrBotDevs AstrBot Dashboard API t2i.py create_template spe - CVE-2026-34587
Kirby has Server-Side Template Injection (SSTI) via double t
V. Comments for CVE-2026-28695
No comments yet