Craft CMS, a popular content management system, suffered from a critical vulnerability identified as CVE-2026-28783, classified under CWE-94 (Improper Control of Generation of Code). The issue stems from Craft CMS's implementation of a blocklist designed to prevent dangerous PHP functions from being invoked via Twig non-Closure arrow functions. However, this blocklist was incomplete, omitting several PHP functions that could be leveraged by attackers to execute malicious payloads. To exploit this vulnerability, an attacker must have elevated privileges, such as a compromised admin account, access to the System Messages utility, or the allowAdminChanges setting enabled in production environments. Successful exploitation can lead to remote code execution (RCE), arbitrary file reads, server-side request forgery (SSRF), and server-side template injection (SSTI). The vulnerability affects Craft CMS versions from 4.0.0-RC1 up to 4.17.0-beta.1 and 5.0.0-RC1 up to 5.9.0-beta.1. The CVSS 4.0 base score of 9.4 reflects the vulnerability's critical nature, with network attack vector, low attack complexity, no required user interaction, and high privileges required. The vulnerability was publicly disclosed on March 4, 2026, and fixed in the 5.9.0-beta.1 and 4.17.0-beta.1 releases. No known exploits have been reported in the wild yet, but the potential for severe impact on confidentiality, integrity, and availability is high.

The impact of CVE-2026-28783 is severe for organizations using affected versions of Craft CMS. Exploitation can result in remote code execution, allowing attackers to run arbitrary code on the server, potentially leading to full system compromise. This can enable data theft, destruction, or manipulation, impacting confidentiality and integrity. Arbitrary file reads can expose sensitive configuration files or credentials. SSRF vulnerabilities can be leveraged to pivot attacks within internal networks, potentially compromising additional systems. SSTI can allow attackers to inject malicious templates, further escalating control. Given Craft CMS's use in managing web content, exploitation could also lead to website defacement, service disruption, or use of the server as a launchpad for further attacks. Organizations with publicly accessible Craft CMS instances and insufficient privilege management are at highest risk. The requirement for elevated privileges or specific configuration settings somewhat limits the attack surface but does not eliminate the risk, especially if admin accounts are compromised or misconfigurations exist.

To mitigate this vulnerability, organizations should immediately upgrade Craft CMS to versions 5.9.0-beta.1 or 4.17.0-beta.1 or later, where the issue is patched. Disable the allowAdminChanges setting in production environments to reduce the attack surface. Enforce strict access controls and multi-factor authentication for all admin and privileged accounts to prevent account compromise. Regularly audit and monitor usage of the System Messages utility and restrict access to trusted personnel only. Implement web application firewalls (WAFs) with rules to detect and block suspicious Twig template payloads or unusual PHP function calls. Conduct thorough code reviews and penetration testing focusing on template injection and code execution vectors. Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation. Finally, educate developers and administrators about secure configuration and the risks of enabling development features in production.