CVE-2026-28697 is a critical vulnerability classified under CWE-1336 (Improper Neutralization of Special Elements used in a Template Engine) affecting Craft CMS, a popular content management system. The flaw exists in versions prior to 4.17.0-beta.1 and 5.9.0-beta.1, where authenticated administrators can inject malicious Server-Side Template Injection (SSTI) payloads into Twig template fields, such as Email Templates. This injection enables attackers to exploit the craft.app.fs.write() method to write arbitrary PHP scripts to directories accessible via the web server. Once the malicious PHP script is written, attackers can invoke it through a browser, leading to Remote Code Execution (RCE) on the underlying system. The vulnerability does not require user interaction beyond administrator authentication, making it highly exploitable in environments where admin credentials are compromised or misused. The issue arises from improper sanitization and neutralization of special template elements, allowing crafted payloads to execute system commands. The vulnerability has a CVSS 4.0 base score of 9.4, indicating critical severity with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild yet, the potential for severe damage is significant. The vulnerability is mitigated in Craft CMS versions 4.17.0-beta.1 and 5.9.0-beta.1 and later, where proper input sanitization and template handling have been implemented.

The impact of CVE-2026-28697 is severe for organizations using affected versions of Craft CMS. Successful exploitation results in Remote Code Execution, allowing attackers to execute arbitrary system commands with the privileges of the web server process. This can lead to full system compromise, data theft, defacement, installation of backdoors, lateral movement within networks, and disruption of services. Since the vulnerability requires administrator authentication, the risk is elevated in environments where admin credentials are weak, reused, or compromised. The ability to write PHP scripts to web-accessible directories increases the attack surface and persistence options for adversaries. Organizations relying on Craft CMS for critical web applications, customer portals, or internal tools face significant confidentiality, integrity, and availability risks. The vulnerability could also be leveraged in targeted attacks against high-value targets or in supply chain attacks if exploited in managed hosting or development environments.

To mitigate CVE-2026-28697, organizations should immediately upgrade Craft CMS to version 4.17.0-beta.1, 5.9.0-beta.1, or later stable releases where the vulnerability is patched. Additionally, restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. Review and audit template fields, especially Email Templates, for suspicious or unauthorized changes. Implement web application firewalls (WAFs) with rules to detect and block SSTI payload patterns targeting Twig templates. Limit write permissions on web-accessible directories to prevent unauthorized file creation. Monitor logs for unusual file writes or execution attempts. Conduct regular security assessments and penetration tests focusing on template injection and code execution vectors. Educate administrators on secure template management practices and the risks of injecting untrusted input into templates. Finally, maintain an incident response plan to quickly address potential exploitation attempts.