Description

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either have allowAdminChanges enabled on production, or a compromised admin account, or an account with access to the System Messages utility. Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

INFO

Published Date :

2026-03-04T16:50:27.191Z

Last Modified :

2026-03-06T05:01:22.026Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28783 vulnerability.

Vendors Products
Craftcms
  • Craft Cms
  • Craftcms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28783.

URL Resource
https://github.com/craftcms/cms/pull/18208 cve-icon cve-icon
https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact