Plattform
php
Komponente
cms
Behoben in
5.0.1
4.0.1
This vulnerability affects Craft CMS, a popular content management system. Prior to versions 5.9.0-beta.1 and 4.17.0-beta.1, a blocklist intended to prevent dangerous PHP functions within Twig non-Closure arrow functions was incomplete. Malicious actors with sufficient privileges, such as admin access or the allowAdminChanges setting enabled, can exploit this flaw to execute arbitrary code.
The impact of this RCE vulnerability is severe. An attacker who can successfully exploit it can gain complete control over the affected Craft CMS instance. This includes the ability to read, modify, and delete sensitive data, install malicious software, and potentially pivot to other systems on the network. The ability to execute arbitrary PHP code bypasses standard security controls, making it a highly dangerous vulnerability. The requirement for admin access or allowAdminChanges does limit the immediate attack surface, but compromise of an admin account would grant the attacker full control.
This vulnerability was publicly disclosed on March 4, 2026. While no public exploits have been reported at the time of writing, the RCE nature of the vulnerability and the relatively straightforward exploitation path make it a likely target for exploitation. It is not currently listed on CISA KEV. The availability of the affected versions in production environments increases the potential for exploitation.
Organizations using Craft CMS versions 4.0.0-RC1 through 5.9.0-beta.1 are at risk, particularly those with allowAdminChanges enabled on production servers or with compromised administrator accounts. Shared hosting environments running Craft CMS are also at increased risk due to the potential for cross-site contamination.
• php / server:
find /var/www/craftcms -name '*.twig' -print0 | xargs -0 grep -iE '(?<=->)\s*\(array_map|array_walk|call_user_func|call_user_func_array|create_function|eval|exec|passthru|shell_exec|system|proc_open|proc_close|proc_get_status|phpinfo|assert|unlink|rmdir|rename|copy|move|file_put_contents|file_get_contents|include|require|include_once|require_once|session_start|session_destroy|$_GET|$_POST|$_REQUEST|$_COOKIE|$_SESSION|$_ENV|$_SERVER|$_FILES'• php / server:
ps aux | grep -i craftcms | grep -i 'twig->renderTemplate' | grep -i 'allowAdminChanges=1'disclosure
Exploit-Status
EPSS
0.09% (25% Perzentil)
CISA SSVC
The primary mitigation is to upgrade to Craft CMS version 5.9.0-beta.1 or later, which includes the necessary fixes to the blocklist. If upgrading immediately is not possible, disabling the allowAdminChanges setting on production environments can significantly reduce the attack surface. Carefully review and restrict user permissions to limit the number of accounts with administrative privileges. Consider implementing a Web Application Firewall (WAF) with rules to detect and block attempts to execute arbitrary PHP code through Twig templates, although this is not a substitute for patching. Monitor system logs for unusual PHP activity or attempts to access sensitive files.
Aktualisieren Sie Craft CMS auf Version 5.9.0-beta.1 oder 4.17.0-beta.1 oder höher, um die Schwachstelle zu beheben. Dies verhindert die Ausführung gefährlicher PHP-Funktionen über Twig.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28783 is a Remote Code Execution vulnerability in Craft CMS affecting versions 4.0.0-RC1 through 5.9.0-beta.1, allowing attackers with admin access to execute arbitrary PHP code.
You are affected if you are running Craft CMS versions 4.0.0-RC1 through 5.9.0-beta.1 and have admin access or allowAdminChanges enabled.
Upgrade to Craft CMS version 5.9.0-beta.1 or later to resolve the vulnerability. Disabling allowAdminChanges is a temporary mitigation.
While no public exploits have been confirmed, the vulnerability's severity and ease of exploitation make it a likely target.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/advisories](https://craftcms.com/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.