CVE-2026-28697 Overview
CVE-2026-28697 is a critical Server-Side Template Injection (SSTI) vulnerability in Craft CMS that enables authenticated administrators to achieve Remote Code Execution (RCE). The vulnerability exists in Twig template fields, such as Email Templates, where an attacker can inject malicious SSTI payloads. By leveraging the craft.app.fs.write() method, attackers can write a malicious PHP script to a web-accessible directory and subsequently execute arbitrary system commands by accessing the script via a browser.
Critical Impact
An authenticated administrator can achieve full Remote Code Execution on the underlying server, potentially leading to complete system compromise, data exfiltration, and lateral movement within the infrastructure.
Affected Products
- Craft CMS versions prior to 4.17.0-beta.1 (version 4.x branch)
- Craft CMS versions prior to 5.9.0-beta.1 (version 5.x branch)
- All Craft CMS 4.0.0 release candidates (rc1, rc2, rc3)
Discovery Timeline
- 2026-03-04 - CVE-2026-28697 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28697
Vulnerability Analysis
This vulnerability stems from improper handling of user-supplied input within Twig template rendering contexts in Craft CMS. Craft CMS utilizes the Twig templating engine for rendering dynamic content, including email templates and other customizable fields accessible to administrators. The application fails to adequately sanitize or restrict the Twig functions and methods available within these template contexts, allowing an authenticated administrator to inject arbitrary Twig expressions that execute server-side code.
The exploitation chain involves two critical steps: first, the attacker injects an SSTI payload that calls internal Craft CMS methods, specifically craft.app.fs.write(), to write a malicious PHP file to a web-accessible directory. Second, the attacker accesses this newly created PHP file via HTTP request, triggering arbitrary command execution on the server. This attack pattern is particularly dangerous because it converts administrative access into full system-level code execution.
Root Cause
The root cause of CVE-2026-28697 is classified under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine). The vulnerability arises because Craft CMS exposes powerful internal application methods through the Twig template context without proper restrictions. The craft.app.fs.write() method, which provides file system write capabilities, should not be accessible from user-controllable template fields. The lack of a sandbox or allowlist for available methods in administrator-controllable template contexts enables this exploitation path.
Attack Vector
The attack is executed over the network and requires authenticated access with administrator privileges. The attacker navigates to a template field within the Craft CMS admin panel, such as Email Templates, and injects a Server-Side Template Injection payload. The payload leverages the Twig templating syntax to call the craft.app.fs.write() method, writing a PHP webshell or other malicious script to a publicly accessible directory within the web root.
Once the malicious PHP file is written to disk, the attacker can access it directly via an HTTP request to execute arbitrary system commands. While the vulnerability requires administrator authentication, it significantly escalates the impact of compromised admin credentials from application-level access to full server compromise. Organizations should consider this vulnerability particularly critical in multi-tenant environments or where administrator accounts may be shared or poorly secured.
For detailed technical analysis and proof-of-concept information, refer to the GitHub Security Advisory GHSA-v47q-jxvr-p68x.
Detection Methods for CVE-2026-28697
Indicators of Compromise
- Unexpected PHP files appearing in web-accessible directories, particularly with recent modification timestamps
- Anomalous HTTP requests to newly created PHP files that were not part of the original Craft CMS installation
- Twig template configurations containing suspicious method calls such as craft.app.fs.write() or references to PHP file extensions
- Unusual outbound network connections or command execution patterns originating from the web server process
Detection Strategies
- Implement file integrity monitoring (FIM) on web-accessible directories to detect unauthorized file creation or modification
- Review Craft CMS admin audit logs for template modifications, particularly those containing filesystem-related method calls
- Deploy web application firewall (WAF) rules to detect SSTI patterns in request payloads targeting Craft CMS admin endpoints
- Monitor PHP process behavior for unexpected child processes or command execution patterns
Monitoring Recommendations
- Enable comprehensive logging for Craft CMS administrative actions, including template field modifications
- Implement real-time alerting for new file creation in web root directories outside of normal deployment workflows
- Deploy endpoint detection and response (EDR) solutions to monitor for post-exploitation behaviors following potential RCE
- Regularly audit administrator account access and authentication events for signs of credential compromise
How to Mitigate CVE-2026-28697
Immediate Actions Required
- Upgrade Craft CMS to version 4.17.0-beta.1 or later for the 4.x branch
- Upgrade Craft CMS to version 5.9.0-beta.1 or later for the 5.x branch
- Review all existing email templates and custom template fields for suspicious SSTI payloads
- Audit administrator accounts and enforce strong authentication, including multi-factor authentication (MFA)
- Conduct a forensic review of web-accessible directories for unauthorized PHP files
Patch Information
Craft CMS has addressed this vulnerability in versions 4.17.0-beta.1 and 5.9.0-beta.1. The fix restricts access to dangerous internal methods from the Twig template context, preventing the exploitation of SSTI payloads to achieve code execution.
For technical details on the security patches, see:
Workarounds
- Restrict administrator access to trusted personnel only and implement the principle of least privilege for admin accounts
- Deploy a Web Application Firewall (WAF) with rules to block SSTI patterns in requests to admin endpoints
- Implement file system permissions that prevent the web server process from writing to web-accessible directories where possible
- Consider placing the Craft CMS admin panel behind additional authentication layers such as VPN or IP allowlisting
# Example: Restrict write permissions on web-accessible directories
chmod 755 /var/www/html/web
chown root:root /var/www/html/web
# Ensure web server cannot write to web root
find /var/www/html/web -type d -exec chmod 755 {} \;
find /var/www/html/web -type f -exec chmod 644 {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
