GHSA-94rc-cqvm-m4pw

Source

https://github.com/advisories/GHSA-94rc-cqvm-m4pw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-94rc-cqvm-m4pw/GHSA-94rc-cqvm-m4pw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-94rc-cqvm-m4pw

Aliases

CVE-2026-28695

Published

2026-03-03T20:30:36Z

Modified

2026-03-04T18:46:15.470209Z

Severity

6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget

Details

There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain.

This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).

Required Permissions

Administrator permissions or access to System Messages utility
allowAdminChanges enabled in production (against our security recommendations) or access to System Messages utility

Vulnerability Details

The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE.

Attack Vector

Admin panel → Settings → Entry Types → Title Format field

Proof of Concept Payload

{% set p = create("Symfony\\Component\\Process\\Process", [["id"]])
%}{{ p.mustRun.getOutput }}

Steps to Reproduce

Log in as admin
Navigate to Settings → Entry Types
Edit any entry type’s "Title Format" field
Insert the payload above
Create/edit an entry of that type
Command executes, output appears in entry title

Impact

Authenticated Remote Code Execution
Runs as web server user (root in default Docker setup)
Full server compromise

Root Cause

Craft::createObject() allows the instantiation of any class, including Symfony\Component\Process\Process, which executes shell commands.

Suggested Fix

Blocklist dangerous classes in createObject() when called from Twig
Or remove/restrict the create() Twig function
Or validate class names against an allowlist

Resources

https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2026-03-04T17:16:20Z",
    "cwe_ids": [
        "CWE-1336",
        "CWE-22",
        "CWE-94"
    ],
    "github_reviewed_at": "2026-03-03T20:30:36Z",
    "severity": "MODERATE"
}

References

Affected packages

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.8.7

Fixed

5.9.0-beta.1

Affected versions

5.*

5.8.7

5.8.8

5.8.9

5.8.10

5.8.11

5.8.12

5.8.13

5.8.13.1

5.8.13.2

5.8.14

5.8.15

5.8.16

5.8.17

5.8.18

5.8.19

5.8.20

5.8.21

5.8.22

5.8.23

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-94rc-cqvm-m4pw/GHSA-94rc-cqvm-m4pw.json"

Packagist / craftcms/cms

Package

Name: craftcms/cms
Purl: pkg:composer/craftcms/cms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0-RC1

Fixed

4.17.0-beta.1

Affected versions

4.*

4.0.0-RC1

4.0.0-RC2

4.0.0-RC3

4.0.0

4.0.0.1

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.5.1

4.0.5.2

4.0.6

4.1.0

4.1.0.1

4.1.0.2

4.1.1

4.1.2

4.1.3

4.1.4

4.1.4.1

4.2.0

4.2.0.1

4.2.0.2

4.2.1

4.2.1.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.5.1

4.2.5.2

4.2.6

4.2.7

4.2.8

4.3.0

4.3.1

4.3.2

4.3.2.1

4.3.3

4.3.4

4.3.5

4.3.6

4.3.6.1

4.3.7

4.3.7.1

4.3.8

4.3.8.1

4.3.8.2

4.3.9

4.3.10

4.3.11

4.4.0-beta.1

4.4.0-beta.2

4.4.0-beta.3

4.4.0-beta.4

4.4.0-beta.5

4.4.0-beta.6

4.4.0-beta.7

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.4.6

4.4.6.1

4.4.7

4.4.7.1

4.4.8

4.4.9

4.4.10

4.4.10.1

4.4.11

4.4.12

4.4.13

4.4.14

4.4.15

4.4.16

4.4.16.1

4.4.17

4.5.0-beta.1

4.5.0-beta.2

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

4.5.6

4.5.6.1

4.5.7

4.5.8

4.5.9

4.5.10

4.5.11

4.5.11.1

4.5.12

4.5.13

4.5.14

4.5.15

4.6.0-RC1

4.6.0

4.6.1

4.7.0

4.7.1

4.7.2

4.7.2.1

4.7.3

4.7.4

4.8.0

4.8.1

4.8.2

4.8.3

4.8.4

4.8.5

4.8.6

4.8.7

4.8.8

4.8.9

4.8.10

4.8.11

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

4.9.6

4.9.7

4.10.0-beta.1

4.10.0-beta.2

4.10.0

4.10.1

4.10.2

4.10.3

4.10.4

4.10.5

4.10.6

4.10.7

4.10.8

4.11.0

4.11.0.1

4.11.0.2

4.11.1

4.11.2

4.11.3

4.11.4

4.11.5

4.12.0

4.12.1

4.12.2

4.12.3

4.12.4

4.12.4.1

4.12.5

4.12.6

4.12.6.1

4.12.7

4.12.8

4.12.9

4.13.0

4.13.1

4.13.1.1

4.13.2

4.13.3

4.13.4

4.13.5

4.13.6

4.13.7

4.13.8

4.13.9

4.13.10

4.14.0

4.14.0.1

4.14.0.2

4.14.1

4.14.2

4.14.3

4.14.4

4.14.5

4.14.6

4.14.7

4.14.8

4.14.8.1

4.14.9

4.14.10

4.14.11

4.14.11.1

4.14.12

4.14.13

4.14.14

4.14.15

4.15.0-beta.1

4.15.0-beta.2

4.15.0

4.15.0.1

4.15.0.2

4.15.1

4.15.2

4.15.3

4.15.4

4.15.5

4.15.6

4.15.6.1

4.15.6.2

4.15.7

4.16.0

4.16.1

4.16.2

4.16.3

4.16.4

4.16.5

4.16.6

4.16.6.1

4.16.7

4.16.8

4.16.9

4.16.9.1

4.16.10

4.16.11

4.16.12

4.16.13

4.16.14

4.16.15

4.16.16

4.16.17

4.16.18

4.16.19

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-94rc-cqvm-m4pw/GHSA-94rc-cqvm-m4pw.json"