3 matches found
CVE-2026-28695
Summary of CVE-2026-28695 : Craft CMS 5.8.21 is vulnerable to an authenticated RCE via Server-Side Template Injection using the Twig create() function to trigger a Symfony Process gadget chain. The create() function exposes Craft::createObject(), enabling instantiation of arbitrary PHP classes wi...
GHSA-94RC-CQVM-M4PW Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create Twig function combined with a Symfony Process gadget chain. This bypasses the fix implemented for CVE-2025-57811 patched in 5.8.7. Required Permissions - Administrator permissions or access...
PT-2026-22947
Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.8.21 Craft CMS versions prior to 4.17.0-beta.1 Craft CMS versions prior to 5.9.0-beta.1 Description Craft CMS contains an authenticated Remote Code Execution RCE issue. This occurs through Server-Side Template Injection...