CVE-2026-28697 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: March 5, 2026
Craft CMS - Remote Code Execution
Published: March 4, 2026Updated: March 5, 2026PoC AvailableRemote Exploitable
Overview
Craft CMS < 4.17.0-beta.1 and < 5.9.0-beta.1 contains a server-side template injection caused by injection of SSTI payloads into Twig template fields, letting authenticated administrators achieve remote code execution by writing malicious PHP scripts, exploit requires authenticated administrator privileges.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Authenticated administrators can execute arbitrary system commands remotely, leading to full server compromise.
Mitigation
Update to version 4.17.0-beta.1 or 5.9.0-beta.1 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-28697
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- template_injection
- Status
- confirmed
CWE
- CWE-1336
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H