Home / Vulnerability Intelligence / CVE-2026-28697

CVE-2026-28697 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 5, 2026

Craft CMS - Remote Code Execution

Published: March 4, 2026Updated: March 5, 2026PoC AvailableRemote Exploitable

Overview

Craft CMS < 4.17.0-beta.1 and < 5.9.0-beta.1 contains a server-side template injection caused by injection of SSTI payloads into Twig template fields, letting authenticated administrators achieve remote code execution by writing malicious PHP scripts, exploit requires authenticated administrator privileges.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 37.9%(Probability of exploitation in next 30 days)

Impact

Authenticated administrators can execute arbitrary system commands remotely, leading to full server compromise.

Mitigation

Update to version 4.17.0-beta.1 or 5.9.0-beta.1 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 5, 2026

🔴 CVE-2026-28697 - Critical (9.1) Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28697/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28697
Severity: Critical
CVSS Score: 9.1
Type: template_injection
Status: confirmed
EPSS: 37.9%
Social Posts: 1

CWE

CWE-1336

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score

37.9%Probability of exploitation in the next 30 days