Craft is a content management system

CVE-2026-28784 is a Twig server-side template injection path in Craft CMS that can end in remote code execution on the web server. The vulnerable window spans Craft >= 4.0.0-RC1 and < 4.17.0-beta.1, plus >= 5.0.0-RC1 and < 5.9.0-beta.1; the vendor says production-safe stable fixes landed in 4.16.18 and 5.8.22. The exploit path uses the Twig map filter in text fields that accept Twig input under Settings in the control panel, or through the System Messages utility.

The vendor/NVD 7.2 HIGH score is technically defensible in a lab because successful exploitation is full server compromise. In the field, though, this is heavily gated: it needs authenticated control-panel access plus either administrator rights with allowAdminChanges enabled or a non-admin account with access to the System Messages utility. That is post-initial-access, narrow-population, and often blocked by sane Craft hardening, so the real-world patch priority comes down from HIGH to a solid MEDIUM.

Why this verdict

• Downgrade for attacker position: the chain starts with authenticated control-panel access, and the common branch needs high privileges. That implies prior compromise or insider access, which is a major downward adjustment from the vendor's 7.2 baseline.
• Downgrade for deployment friction: the admin path also expects allowAdminChanges=true, while Craft explicitly recommends false in production. In mature deployments, that setting alone kills the easiest exploit path.
• Keep it at MEDIUM, not LOW: if the attacker *does* have the needed role, the outcome is still server-side code execution with full confidentiality, integrity, and availability impact on the Craft host.

Why not higher?

This is not unauthenticated remote exploitation, and it is not broadly reachable across the exposed Craft population. The exploit chain requires either admin-level control-panel access plus a non-recommended production setting, or a narrower non-admin role with access to System Messages. There is also no KEV listing, no public exploitation evidence found, and EPSS is extremely low.

Why not lower?

Remote code execution is still remote code execution once the attacker clears the gate. If you already have exposed Craft admin surfaces, shared admin credentials, or weak SSO/MFA hygiene, this becomes a practical second-stage kill shot against the application server and its secrets. That keeps it above LOW.

1. Set allowAdminChanges to false in production — Do this first because it directly cuts off the main admin-side exploit branch documented by Craft. For a MEDIUM verdict there is no noisgate mitigation SLA; go straight to the remediation window, but this config hardening should still be applied during the same change cycle because it meaningfully reduces exposure.
2. Restrict control-panel exposure — Put the Craft control panel behind VPN, identity-aware proxy, IP allowlists, or equivalent admin-plane segmentation. This shrinks the pool of attackers who can even attempt the authenticated prerequisite; for a MEDIUM verdict there is no mitigation SLA — go straight to the 365-day remediation window, but this is worthwhile hygiene on any internet-facing CMS.
3. Review and trim System Messages utility access — Audit which roles can reach the System Messages utility and remove it from everyone except the handful of operators who actually need it. This matters because the advisory explicitly names that utility as the alternative exploitation path when allowAdminChanges is disabled.
4. Watch for PHP child-process anomalies — Tune EDR or host monitoring to alert on suspicious child processes from php-fpm, apache2, or nginx worker contexts, plus unusual shell, curl, wget, python, or package-manager execution. It will not prevent the bug, but it gives you a fighting chance to catch successful SSTI-to-RCE behavior.
5. Enforce strong admin authentication — Backstop the biggest real-world prerequisite by enforcing MFA, SSO, impossible-travel alerts, and session revocation for Craft admins. The vulnerability's practical exploitability collapses if attackers cannot cheaply get or reuse privileged panel access.

Run this on the Craft CMS host or inside the application container, pointing it at the application root that contains composer.lock or vendor/. Example: sudo ./check-cve-2026-28784.sh /var/www/craft or ./check-cve-2026-28784.sh /srv/app. It needs read access to the app files and a working php binary for version parsing; root is not required if the app directory is readable.

#!/usr/bin/env bash
# check-cve-2026-28784.sh
# Detect likely exposure to CVE-2026-28784 in Craft CMS.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/runtime error

set -u

TARGET="${1:-.}"

if ! command -v php >/dev/null 2>&1; then
  echo "UNKNOWN - php binary not found; cannot parse Craft version reliably"
  exit 2
fi

if [ ! -d "$TARGET" ]; then
  echo "UNKNOWN - target path does not exist: $TARGET"
  exit 3
fi

LOCKFILE="$TARGET/composer.lock"
INSTALLED_JSON="$TARGET/vendor/composer/installed.json"
CRAFT_COMPOSER_JSON="$TARGET/vendor/craftcms/cms/composer.json"

VERSION=""
SOURCE=""

if [ -f "$LOCKFILE" ]; then
  VERSION=$(php -r '
    $f=$argv[1];
    $j=json_decode(file_get_contents($f), true);
    if (!is_array($j)) exit(1);
    $pkgs=[];
    if (isset($j["packages"]) && is_array($j["packages"])) $pkgs=array_merge($pkgs,$j["packages"]);
    if (isset($j["packages-dev"]) && is_array($j["packages-dev"])) $pkgs=array_merge($pkgs,$j["packages-dev"]);
    foreach ($pkgs as $p) {
      if (($p["name"] ?? "") === "craftcms/cms") {
        echo $p["version"] ?? "";
        exit(0);
      }
    }
    exit(1);
  ' "$LOCKFILE" 2>/dev/null)
  if [ -n "$VERSION" ]; then SOURCE="$LOCKFILE"; fi
fi

if [ -z "$VERSION" ] && [ -f "$INSTALLED_JSON" ]; then
  VERSION=$(php -r '
    $f=$argv[1];
    $j=json_decode(file_get_contents($f), true);
    if (!is_array($j)) exit(1);
    $pkgs=[];
    if (isset($j["packages"]) && is_array($j["packages"])) {
      $pkgs=$j["packages"];
    } elseif (array_is_list($j)) {
      $pkgs=$j;
    } elseif (isset($j["versions"]) && is_array($j["versions"])) {
      $pkgs=array_values($j["versions"]);
    }
    foreach ($pkgs as $p) {
      if (($p["name"] ?? "") === "craftcms/cms") {
        echo $p["version"] ?? ($p["pretty_version"] ?? "");
        exit(0);
      }
    }
    exit(1);
  ' "$INSTALLED_JSON" 2>/dev/null)
  if [ -n "$VERSION" ]; then SOURCE="$INSTALLED_JSON"; fi
fi

if [ -z "$VERSION" ] && [ -f "$CRAFT_COMPOSER_JSON" ]; then
  VERSION=$(php -r '
    $f=$argv[1];
    $j=json_decode(file_get_contents($f), true);
    if (!is_array($j)) exit(1);
    echo $j["version"] ?? "";
  ' "$CRAFT_COMPOSER_JSON" 2>/dev/null)
  if [ -n "$VERSION" ]; then SOURCE="$CRAFT_COMPOSER_JSON"; fi
fi

if [ -z "$VERSION" ]; then
  echo "UNKNOWN - could not determine installed Craft CMS version from composer metadata"
  exit 2
fi

RESULT=$(php -r '
  $v=trim($argv[1]);
  $norm=preg_replace("/^v/i", "", $v);

  function vulnerable($ver) {
    # Known stable fixed versions from the vendor/NVD narrative:
    # 4.x fixed in 4.16.18, 5.x fixed in 5.8.22.
    # Advisory package ranges also note first unaffected prereleases:
    # 4.17.0-beta.1 and 5.9.0-beta.1.
    if (preg_match("/^4\./", $ver)) {
      return version_compare($ver, "4.0.0-RC1", ">=") && version_compare($ver, "4.16.18", "<");
    }
    if (preg_match("/^5\./", $ver)) {
      return version_compare($ver, "5.0.0-RC1", ">=") && version_compare($ver, "5.8.22", "<");
    }
    return null;
  }

  $isVuln=vulnerable($norm);
  if ($isVuln === true) {
    echo "VULNERABLE";
    exit(1);
  }
  if ($isVuln === false) {
    echo "PATCHED";
    exit(0);
  }
  echo "UNKNOWN";
  exit(2);
' "$VERSION")
STATUS=$?

echo "$RESULT - detected craftcms/cms version $VERSION from $SOURCE"
exit $STATUS

Sources

1. NVD CVE-2026-28784
2. Craft CMS GitHub security advisory GHSA-qc86-q28f-ggww
3. GitHub Advisory Database entry
4. Craft guidance: Securing Craft / allowAdminChanges
5. Patch PR #18208
6. GitLab Advisory Database entry
7. CISA Known Exploited Vulnerabilities catalog
8. Censys Craft CMS exposure reference