CVE-2026-28695 is a critical vulnerability affecting Craft CMS, a popular content management system. The flaw is an authenticated server-side template injection (SSTI) that enables remote code execution (RCE) through the Twig template engine's create() function. This function exposes Craft::createObject(), which allows the instantiation of arbitrary PHP classes with constructor arguments. By exploiting this, an attacker with administrative privileges can instantiate classes from the symfony/process library bundled with Craft CMS to execute arbitrary system commands on the server. This vulnerability effectively bypasses the previous patch applied for CVE-2025-57811, indicating a regression or incomplete fix. The affected versions include Craft CMS 5.8.7 up to but not including 5.9.0-beta.1, and 4.0.0-RC1 up to but not including 4.17.0-beta.1. The vulnerability requires high privileges (admin authentication) but no additional user interaction, and it has a CVSS 4.0 base score of 7.5, reflecting its high severity. No known exploits are currently reported in the wild. The issue is categorized under CWE-1336, which involves improper neutralization of special elements used in a template engine, leading to injection attacks. The fix is available starting with Craft CMS 5.9.0-beta.1 and 4.17.0-beta.1.

The impact of this vulnerability is significant for organizations using affected versions of Craft CMS. An authenticated attacker with admin privileges can execute arbitrary code on the web server, potentially leading to full system compromise. This could result in unauthorized data access, data modification, service disruption, or use of the compromised server as a pivot point for further attacks within the network. Since Craft CMS is used to manage website content, exploitation could also lead to defacement, data leakage, or insertion of malicious content affecting end users. The requirement for admin authentication limits the attack surface but does not eliminate risk, especially in environments where admin credentials may be compromised or weakly protected. The bypass of a previous fix suggests that organizations relying on earlier patches remain vulnerable until they upgrade to the fixed versions. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation, especially as details become public.

Organizations should immediately upgrade Craft CMS to versions 5.9.0-beta.1 or later, or 4.17.0-beta.1 or later, where the vulnerability is patched. Until upgrades can be applied, restrict admin access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Review and monitor admin account activity for suspicious behavior. Disable or restrict access to the Twig create() function or Craft::createObject() if possible through configuration or custom code hardening. Employ web application firewalls (WAFs) with rules designed to detect and block unusual template engine usage or command injection patterns. Conduct thorough code and configuration audits to ensure no other template injection vectors exist. Regularly back up CMS data and system configurations to enable recovery in case of compromise. Finally, maintain vigilant monitoring of security advisories for any emerging exploits or related vulnerabilities.