Platform
php
Component
cms
Fixed in
5.0.1
4.0.1
This vulnerability affects Craft CMS, a popular content management system. Prior to versions 5.9.0-beta.1 and 4.17.0-beta.1, a blocklist intended to prevent dangerous PHP functions within Twig non-Closure arrow functions was incomplete. Malicious actors with sufficient privileges, such as admin access or the allowAdminChanges setting enabled, can exploit this flaw to execute arbitrary code.
The impact of this RCE vulnerability is severe. An attacker who can successfully exploit it can gain complete control over the affected Craft CMS instance. This includes the ability to read, modify, and delete sensitive data, install malicious software, and potentially pivot to other systems on the network. The ability to execute arbitrary PHP code bypasses standard security controls, making it a highly dangerous vulnerability. The requirement for admin access or allowAdminChanges does limit the immediate attack surface, but compromise of an admin account would grant the attacker full control.
This vulnerability was publicly disclosed on March 4, 2026. While no public exploits have been reported at the time of writing, the RCE nature of the vulnerability and the relatively straightforward exploitation path make it a likely target for exploitation. It is not currently listed on CISA KEV. The availability of the affected versions in production environments increases the potential for exploitation.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation is to upgrade to Craft CMS version 5.9.0-beta.1 or later, which includes the necessary fixes to the blocklist. If upgrading immediately is not possible, disabling the allowAdminChanges setting on production environments can significantly reduce the attack surface. Carefully review and restrict user permissions to limit the number of accounts with administrative privileges. Consider implementing a Web Application Firewall (WAF) with rules to detect and block attempts to execute arbitrary PHP code through Twig templates, although this is not a substitute for patching. Monitor system logs for unusual PHP activity or attempts to access sensitive files.
Update Craft CMS to version 5.9.0-beta.1 or 4.17.0-beta.1, or later, to fix the vulnerability. This will prevent the execution of dangerous PHP functions via Twig.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28783 is a Remote Code Execution vulnerability in Craft CMS affecting versions 4.0.0-RC1 through 5.9.0-beta.1, allowing attackers with admin access to execute arbitrary PHP code.
You are affected if you are running Craft CMS versions 4.0.0-RC1 through 5.9.0-beta.1 and have admin access or allowAdminChanges enabled.
Upgrade to Craft CMS version 5.9.0-beta.1 or later to resolve the vulnerability. Disabling allowAdminChanges is a temporary mitigation.
While no public exploits have been confirmed, the vulnerability's severity and ease of exploitation make it a likely target.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/advisories](https://craftcms.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.