CVE-2026-28695

Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

Craft is a content management system (CMS). There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain. The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.

There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). ## Required Permissions - Administrator permissions or access to System Messages utility - `allowAdminChanges` enabled in production ([against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production)) or access to System Messages utility ## Vulnerability Details The `create()` Twig function exposes `Craft::createObject()`, which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled `symfony/process` dependency, this enables RCE. ## Attack Vector Admin panel → Settings → Entry Types → Title Format field ## Proof of Concept Payload ``` {% set p = create("Symfony\\Component\\Process\\Process", [["id"]]) %}{{ p.mustRun.getOutput }} ``` ## Steps to Reproduce 1. Log in as admin 2. Navigate to Settings → Entry Types 3. Edit any entry type’s "Title Format" field 4. Insert the payload above 5. Create/edit an entry of that type 6. Command executes, output appears in entry title ## Impact - Authenticated Remote Code Execution - Runs as web server user (root in default Docker setup) - Full server compromise ## Root Cause Craft::createObject() allows the instantiation of any class, including `Symfony\Component\Process\Process`, which executes shell commands. ## Suggested Fix - Blocklist dangerous classes in createObject() when called from Twig - Or remove/restrict the create() Twig function - Or validate class names against an allowlist ## Resources https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0

There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain. This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7). ## Required Permissions - Administrator permissions or access to System Messages utility - `allowAdminChanges` enabled in production ([against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production)) or access to System Messages utility ## Vulnerability Details The `create()` Twig function exposes `Craft::createObject()`, which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled `symfony/process` dependency, this enables RCE. ## Attack Vector Admin panel → Settings → Entry Types → Title Format field ## Proof of Concept Payload ``` {% set p = create("Symfony\\Component\\Process\\Process", [["id"]]) %}{{ p.mustRun.getOutput }} ``` ## Steps to Reproduce 1. Log in as admin 2. Navigate to Settings → Entry Types 3. Edit any entry type’s "Title Format" field 4. Insert the payload above 5. Create/edit an entry of that type 6. Command executes, output appears in entry title ## Impact - Authenticated Remote Code Execution - Runs as web server user (root in default Docker setup) - Full server compromise ## Root Cause Craft::createObject() allows the instantiation of any class, including `Symfony\Component\Process\Process`, which executes shell commands. ## Suggested Fix - Blocklist dangerous classes in createObject() when called from Twig - Or remove/restrict the create() Twig function - Or validate class names against an allowlist ## Resources https://github.com/craftcms/cms/commit/e31e50849ad71638e11ea55fbd1ed90ae8f8f6e0

Craft es un sistema de gestión de contenido (CMS). Hay una RCE de administrador autenticado en Craft CMS 5.8.21 a través de Inyección de Plantilla del Lado del Servidor usando la función Twig create() combinada con una cadena de gadgets de Symfony Process. La función Twig create() expone Craft::createObject(), lo que permite la instanciación de clases PHP arbitrarias con argumentos de constructor. Combinado con la dependencia symfony/process incluida, esto habilita RCE. Esto elude la corrección implementada para CVE-2025-57811 (parcheado en 5.8.7). Esta vulnerabilidad está corregida en 5.9.0-beta.1 y 4.17.0-beta.1.