GHSA-94RC-CQVM-M4PW Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget

There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create Twig function combined with a Symfony Process gadget chain. This bypasses the fix implemented for CVE-2025-57811 patched in 5.8.7. Required Permissions - Administrator permissions or access...

PT-2026-22947

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.8.21 Craft CMS versions prior to 4.17.0-beta.1 Craft CMS versions prior to 5.9.0-beta.1 Description Craft CMS contains an authenticated Remote Code Execution RCE issue. This occurs through Server-Side Template Injection...