CVE-2026-55792

Source
https://cve.org/CVERecord?id=CVE-2026-55792
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55792.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55792
Aliases
Published
2026-07-01T23:20:28.993Z
Modified
2026-07-15T01:49:16.414674791Z
Severity
  • 6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Craft CMS: Sensitive File Disclosure / Server-Side File Read
Details

Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its contents as a base64-encoded data URL embedded in the email body. The .env file, which typically contains the database password, CRAFTSECURITYKEY, and third-party API keys, passes all of Craft’s existing dataUrl() protection checks and is fully exfiltrated. Obtaining CRAFTSECURITYKEY enables an attacker to forge session tokens and escalate to full admin account takeover. This issue has been fixed in versions 4.18.0 and 5.10.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55792.json",
    "cwe_ids": [
        "CWE-200"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/craftcms/cms

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/cms
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.18.0"
        },
        {
            "introduced": "5.0.0-RC1"
        },
        {
            "fixed": "5.10.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55792.json"