CVE-2026-28784 Overview
CVE-2026-28784 is a Remote Code Execution (RCE) vulnerability affecting Craft CMS, a popular content management system. The vulnerability exists in the handling of the Twig template engine's map filter within text fields that accept Twig input. Specifically, attackers with administrative access to the Craft Control Panel or access to the System Messages utility can craft malicious payloads that lead to arbitrary code execution on the underlying server.
The vulnerability requires either administrator access with allowAdminChanges enabled, or non-administrator access to the System Messages utility. While this limits the attack surface to authenticated users with specific privileges, successful exploitation grants full server-side code execution capabilities.
Critical Impact
Authenticated attackers can achieve Remote Code Execution through malicious Twig template payloads, potentially leading to complete server compromise, data exfiltration, and lateral movement within the network.
Affected Products
- Craft CMS versions prior to 5.8.22 (5.x branch)
- Craft CMS versions prior to 4.16.18 (4.x branch)
- Craft CMS versions 4.0.0 through 4.16.17 (including RC releases)
- Craft CMS versions 5.0.0 through 5.8.21 (including RC releases)
Discovery Timeline
- March 4, 2026 - CVE-2026-28784 published to NVD
- March 5, 2026 - Last updated in NVD database
Technical Details for CVE-2026-28784
Vulnerability Analysis
This vulnerability is classified as CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine). The Craft CMS platform utilizes the Twig templating engine to provide flexible content rendering capabilities. Within the Craft Control Panel, certain text fields under Settings and the System Messages utility accept Twig template syntax, enabling administrators to create dynamic content.
The flaw exists in how the Twig map filter processes user-supplied input. The map filter applies an arrow function to each element of a sequence, and insufficient sanitization of the callback logic allows attackers to inject and execute arbitrary PHP code within the template context.
The vulnerability can be exploited through two attack paths: administrators with allowAdminChanges enabled (which Craft CMS recommends disabling in production), or non-administrators who have been granted access to the System Messages utility. Once a malicious Twig payload is processed, arbitrary server-side code execution occurs.
Root Cause
The root cause is improper neutralization of special elements within the Twig template engine's map filter implementation. When user-supplied Twig templates containing the map filter are processed, the filter's callback mechanism does not adequately restrict or sanitize code execution paths, allowing injection of malicious PHP functions or system commands.
Attack Vector
The attack is network-based and requires authentication to the Craft CMS Control Panel. An attacker must have either administrator privileges with allowAdminChanges enabled, or access to the System Messages utility as a non-administrator user.
The exploitation flow involves:
- Authenticating to the Craft CMS Control Panel
- Navigating to a Twig-enabled text field (Settings section or System Messages utility)
- Injecting a malicious payload using the Twig map filter with embedded code execution primitives
- Triggering template processing to execute the payload on the server
The map filter accepts arrow functions that can be crafted to invoke dangerous PHP functions, enabling command execution, file manipulation, or other server-side operations. Successful exploitation results in full server compromise within the context of the web server user.
Detection Methods for CVE-2026-28784
Indicators of Compromise
- Unusual or unexpected Twig template content in the Control Panel Settings or System Messages
- Access logs showing repeated modifications to System Messages or Settings fields by privileged users
- Web application firewall logs containing Twig syntax with suspicious arrow functions or filter chains
- Unexpected process executions or network connections originating from the web server process
- Newly created or modified files outside of expected Craft CMS directories
Detection Strategies
- Monitor Control Panel audit logs for modifications to Twig-enabled fields by any user
- Implement file integrity monitoring on Craft CMS configuration and template directories
- Deploy web application firewall rules to detect Twig injection patterns, particularly the map filter with arrow function syntax
- Review access logs for anomalous authentication patterns to the Craft CMS Control Panel
Monitoring Recommendations
- Enable comprehensive logging for all Craft CMS Control Panel administrative actions
- Configure alerting for any changes to System Messages or Settings fields
- Monitor web server processes for unexpected child processes or outbound connections
- Implement runtime application self-protection (RASP) to detect and block template injection attacks
How to Mitigate CVE-2026-28784
Immediate Actions Required
- Update Craft CMS to version 5.8.22 or later for 5.x installations
- Update Craft CMS to version 4.16.18 or later for 4.x installations
- Set allowAdminChanges to false in production environments immediately
- Audit user accounts with access to the System Messages utility and restrict to necessary personnel only
- Review recent changes to Settings and System Messages for any suspicious content
Patch Information
Craft CMS has released security patches in versions 5.8.22 and 4.16.18 that address this vulnerability. The fixes are detailed in GitHub Pull Request #18208. Users should update to these patched versions immediately.
For additional technical details and security guidance, refer to the GitHub Security Advisory GHSA-qc86-q28f-ggww and the Craft CMS Security Guide.
Workarounds
- Disable allowAdminChanges in your config/general.php by setting it to false for all non-development environments
- Restrict access to the System Messages utility to only essential personnel
- Implement network-level access controls to limit Control Panel access to trusted IP ranges
- Consider temporarily disabling Twig template processing in user-modifiable fields until patches can be applied
# Configuration example for config/general.php
# Set allowAdminChanges to false in production
'allowAdminChanges' => false,
# Restrict Control Panel access by IP (in your web server config)
# Example for nginx:
# location /admin {
# allow 10.0.0.0/8;
# deny all;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
