CVE-2026-28695 is a critical security vulnerability affecting Craft CMS, a popular content management system. The issue is a server-side template injection (SSTI) vulnerability that enables authenticated administrators to achieve remote code execution (RCE). The root cause lies in the improper neutralization of special elements in the Twig template engine's create() function, which exposes the Craft::createObject() method. This method allows instantiation of arbitrary PHP classes with constructor arguments. Attackers can exploit this by chaining with the symfony/process dependency bundled within Craft CMS, enabling execution of arbitrary system commands on the server. This vulnerability effectively bypasses the prior patch for CVE-2025-57811, indicating a regression or incomplete fix. The affected versions include Craft CMS from 5.8.7 up to but not including 5.9.0-beta.1, and from 4.0.0-RC1 up to but not including 4.17.0-beta.1. The vulnerability requires authenticated admin privileges but does not require user interaction, and it has a CVSS 4.0 score of 7.5, reflecting high severity. No public exploits have been reported yet, but the potential for damage is significant due to the ability to execute arbitrary code on the server. The issue is addressed in versions 5.9.0-beta.1 and 4.17.0-beta.1, where the create() function's exposure has been properly mitigated.

The impact of CVE-2026-28695 is substantial for organizations using vulnerable versions of Craft CMS. Successful exploitation allows an authenticated administrator to execute arbitrary code on the underlying server, potentially leading to full system compromise. This can result in unauthorized data access, data modification or destruction, deployment of malware or ransomware, and lateral movement within the network. Since Craft CMS is often used to manage websites and web applications, attackers could deface sites, steal sensitive user data, or use the compromised server as a pivot point for further attacks. The vulnerability bypasses previous patches, indicating that organizations relying on earlier fixes remain at risk. The requirement for admin authentication limits exposure to some extent, but insider threats or compromised admin credentials could be leveraged by attackers. The absence of known exploits in the wild suggests a window of opportunity for defenders to patch before widespread attacks occur.

To mitigate CVE-2026-28695, organizations should immediately upgrade Craft CMS installations to version 5.9.0-beta.1 or later, or 4.17.0-beta.1 or later, where the vulnerability is fixed. Administrators should audit and restrict admin access to trusted personnel only, enforce strong authentication mechanisms such as multi-factor authentication (MFA), and monitor admin activities for suspicious behavior. It is also advisable to review and limit the use of custom Twig templates that invoke the create() function or other dynamic object instantiations. Network segmentation and application-layer firewalls can help reduce exposure of the CMS backend. Regularly scanning for outdated CMS versions and applying security patches promptly is critical. Additionally, monitoring logs for unusual process executions or command invocations related to symfony/process can provide early detection of exploitation attempts. Finally, consider implementing runtime application self-protection (RASP) or web application firewalls (WAFs) with rules targeting SSTI patterns to provide an additional layer of defense.