CVE-2026-28697 is a critical vulnerability classified under CWE-1336, involving improper neutralization of special elements in the Twig template engine used by Craft CMS. The flaw exists in versions prior to 4.17.0-beta.1 and 5.9.0-beta.1. An authenticated administrator can exploit this Server-Side Template Injection (SSTI) vulnerability by injecting malicious code into template fields such as Email Templates. The injected payload can leverage the craft.app.fs.write() method to write arbitrary PHP scripts into web-accessible directories. Once written, these scripts can be accessed via a browser, allowing the attacker to execute arbitrary system commands on the underlying server, effectively achieving Remote Code Execution (RCE). The vulnerability does not require additional user interaction beyond administrator authentication, making it highly dangerous in environments where admin credentials are compromised or misused. The issue arises from insufficient sanitization or neutralization of template input fields, allowing special elements to be interpreted and executed by the Twig engine. This vulnerability is fixed starting from Craft CMS versions 4.17.0-beta.1 and 5.9.0-beta.1. Although no public exploits have been reported yet, the high CVSS score (9.4) indicates a critical risk due to the combination of network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability.

The impact of CVE-2026-28697 is severe for organizations using vulnerable Craft CMS versions. Successful exploitation results in Remote Code Execution, allowing attackers to execute arbitrary commands on the web server with the privileges of the CMS process. This can lead to full system compromise, data theft, defacement, deployment of malware or ransomware, lateral movement within the network, and disruption of services. Since the vulnerability requires administrator authentication, the risk is elevated in environments where admin credentials are weak, reused, or compromised. Organizations relying on Craft CMS for critical web content or customer-facing services face significant operational and reputational damage if exploited. Additionally, the ability to write PHP scripts to web-accessible directories increases the attack surface and persistence options for adversaries. The vulnerability affects both confidentiality and integrity of data, as well as availability of services, making it a critical threat to affected organizations worldwide.

To mitigate CVE-2026-28697, organizations should immediately upgrade Craft CMS to versions 4.17.0-beta.1 or later, or 5.9.0-beta.1 or later, where the vulnerability is patched. Until upgrades are applied, restrict administrator access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Review and audit administrator accounts and permissions regularly. Implement strict input validation and sanitization policies for template fields if custom modifications exist. Monitor web server directories for unauthorized PHP files and implement file integrity monitoring to detect suspicious changes. Employ web application firewalls (WAFs) with rules targeting SSTI patterns to provide additional protection. Conduct regular security assessments and penetration tests focusing on CMS components. Finally, maintain comprehensive logging and alerting to detect anomalous administrator activities or unexpected file writes.