Craft CMS, a popular content management system, suffers from a critical code injection vulnerability identified as CVE-2026-28783. This vulnerability stems from improper control over the generation of code (CWE-94) within the CMS's Twig templating engine, specifically involving non-Closure arrow functions. Prior to versions 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implemented a blocklist to restrict dangerous PHP functions from being invoked via Twig templates. However, this blocklist was incomplete, omitting several PHP functions that could be exploited by attackers with sufficient privileges. To successfully exploit this vulnerability, an attacker must have either the 'allowAdminChanges' setting enabled on a production environment, or access to an admin account or an account with permissions to the System Messages utility. Under these conditions, attackers can execute various malicious payloads, including remote code execution (RCE), arbitrary file reads, server-side request forgery (SSRF), and server-side template injections (SSTI). The vulnerability is severe due to the combination of high impact on confidentiality, integrity, and availability, and the relatively low complexity of exploitation since no user interaction is required. The flaw was addressed in the 5.9.0-beta.1 and 4.17.0-beta.1 releases by improving the blocklist and tightening control over PHP function execution within Twig templates. No public exploits have been reported yet, but the critical nature of the vulnerability demands immediate attention from organizations using affected versions of Craft CMS.

The impact of CVE-2026-28783 is substantial for organizations running vulnerable versions of Craft CMS. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the server, potentially leading to full system compromise. This can result in data breaches, unauthorized data modification or deletion, and disruption of service availability. Arbitrary file reads can expose sensitive configuration files, credentials, or other confidential information. SSRF vulnerabilities can be leveraged to pivot attacks into internal networks, bypassing firewalls and accessing otherwise protected resources. SSTI can further facilitate code execution or data leakage. Given Craft CMS's use in managing web content, compromised systems could be used to distribute malware, deface websites, or serve as a foothold for broader network intrusions. The requirement for elevated privileges or specific configuration settings limits the attack surface but does not eliminate the risk, especially if admin credentials are compromised or insecure configurations are in place. The critical CVSS score of 9.4 underscores the high severity and potential for widespread damage if exploited.

To mitigate CVE-2026-28783, organizations should immediately upgrade Craft CMS to versions 5.9.0-beta.1 or later, or 4.17.0-beta.1 or later, where the vulnerability is patched. Review and disable the 'allowAdminChanges' setting in production environments unless absolutely necessary, as it increases the attack surface. Enforce strict access controls and multi-factor authentication for all admin and privileged accounts to reduce the risk of credential compromise. Limit access to the System Messages utility to only trusted administrators. Conduct regular audits of user permissions and remove unnecessary privileges. Monitor logs for suspicious activity related to Twig template usage or PHP function calls. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to exploit code injection patterns in Twig templates. Additionally, implement network segmentation to limit the impact of SSRF attacks and restrict outbound requests from web servers. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.