GHSA-4484-8V2F-5748 Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController

The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748 only patched src/services/Fields.php, but the same vulnerable pattern exists in ElementIndexesController and FieldsController. You need Craft contro...

Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController

The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748 only patched src/services/Fields.php, but the same vulnerable pattern exists in ElementIndexesController and FieldsController. You need Craft contro...

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via the ElementIndexesController and FieldsController components. An attacker can execute arbitrary code by...

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' in the actionApplyOverrideSettings function. An attacker can execute arbitrary code by injecting malicious...

GHSA-8WG7-WM29-2RVG RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin

The Webhooks plugin renders user-supplied template content through Twig’s renderString function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP...

CVE-2026-28784

Craft is a content management system CMS. Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to...

CVE-2026-28784 Craft is affected by potential authenticated Remote Code Execution via Twig SSTI

Craft is a content management system CMS. Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to...

CVE-2026-28784

Craft CMS is affected by a Server-Side Template Injection (Twig map filter) vulnerability prior to versions 5.8.22 and 4.16.18. The issue arises in text fields that accept Twig input (Settings in the Craft Control Panel or via the System Messages utility), allowing an attacker with administrator ...

Craft CMS has potential authenticated Remote Code Execution via Twig SSTI

For this to work, the attacker must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craftset-allowAdminChanges-to-false-in-production...

GHSA-QC86-Q28F-GGWW Craft CMS has potential authenticated Remote Code Execution via Twig SSTI

For this to work, the attacker must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craftset-allowAdminChanges-to-false-in-production...

Template Injection

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Template Injection via the craft.app.fs.write function in Twig templates. An attacker can execute arbitrary system commands and disclose sensitive information by injecting malicious payloads...

Cross-site Scripting (XSS)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized rendering of user-supplied input in settings names and field option labels within the checkbox.twig template. An attacker can execute arbitrary...

Template Injection

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Template Injection via the create function. An attacker can execute arbitrary code on the server by supplying a crafted payload that instantiates dangerous classes, such as...

PT-2026-22997

Name of the Vulnerable Software and Affected Versions Craft CMS versions prior to 5.8.22 Craft CMS versions prior to 4.16.18 Description Craft is a content management system. A malicious payload can be crafted using the Twig map filter in text fields that accept Twig input within the Settings...

GHSA-6J87-M5QX-9FQP Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type

A stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the Row Heading column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious...

CVE-2026-27126

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input, allowing an attack...

CVE-2026-27126

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input, allowing an attack...

CVE-2026-27126 Craft CMS has Stored XSS in Table Field via "HTML" Column Type

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input, allowing an attack...

EUVD-2026-7406

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input, allowing an attack...

CVE-2026-27126

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input, allowing an attack...