CVE-2026-28783

Craft has a Twig Function Blocklist Bypass

Assigner: GitHub_M
Reserved: 03.03.2026 Published: 04.03.2026 Updated: 04.03.2026

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS Score: 9.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	High
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	craftcms
Product	cms
Versions	Version >= 5.0.0-RC1, <= 5.9.0-beta.1 is affected Version >= 4.0.0-RC1, <= 4.17.0-beta.1 is affected

Vendor

craftcms

Product

cms

Versions

Version >= 5.0.0-RC1, <= 5.9.0-beta.1 is affected
Version >= 4.0.0-RC1, <= 4.17.0-beta.1 is affected

References

Problem Types

CWE-94: Improper Control of Generation of Code ('Code Injection') CWE
CWE-184: Incomplete List of Disallowed Inputs CWE
CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine CWE

CVE-2026-28783 PUBLISHED

Craft has a Twig Function Blocklist Bypass

Metrics

Product Status

References

Problem Types