CVE-2026-28784 is a critical vulnerability in Craft CMS, a popular content management system, caused by improper neutralization of special elements in the Twig template engine (CWE-1336). The flaw exists in the handling of the Twig map filter within text fields that accept Twig input, such as those found under Settings in the Craft control panel or the System Messages utility. An attacker with administrator privileges and allowAdminChanges enabled can craft a malicious payload that leads to remote code execution (RCE). Alternatively, a non-administrator user with access to the System Messages utility can also exploit the vulnerability even if allowAdminChanges is disabled. The vulnerability stems from insufficient sanitization of user-controlled input that is processed by the Twig engine, allowing execution of arbitrary code on the server hosting the CMS. This can lead to full system compromise, data theft, or service disruption. The vulnerability affects Craft CMS versions from 4.0.0-RC1 up to but not including 4.17.0-beta.1 and from 5.0.0-RC1 up to but not including 5.9.0-beta.1. The vendor has released patched versions 5.8.22 and 4.16.18 to address this issue. The CVSS 4.0 score of 8.6 reflects the vulnerability's high impact and ease of exploitation given the required privileges. No known exploits are currently reported in the wild, but the risk remains significant due to the potential severity of RCE in web-facing CMS platforms.

The impact of CVE-2026-28784 is substantial for organizations using vulnerable Craft CMS versions. Successful exploitation results in remote code execution, allowing attackers to run arbitrary commands on the server. This can lead to full system compromise, unauthorized data access or modification, deployment of malware or ransomware, and disruption of web services. Since Craft CMS is often used to manage websites and web applications, attackers could deface sites, steal sensitive user data, or pivot to internal networks. The requirement for administrative or specific utility access limits the attack surface but does not eliminate risk, especially in environments where administrative controls are lax or where multiple users have elevated privileges. The vulnerability undermines confidentiality, integrity, and availability of affected systems. Organizations with public-facing Craft CMS installations are particularly at risk, as attackers may attempt to gain the necessary privileges through other means and then exploit this vulnerability to escalate control. The absence of known exploits in the wild suggests a window for proactive mitigation, but the high CVSS score indicates that once exploited, the consequences are severe.

To mitigate CVE-2026-28784, organizations should immediately update Craft CMS to versions 5.8.22 or 4.16.18 or later, where the vulnerability is patched. Beyond patching, administrators should disable allowAdminChanges in production environments as recommended by the vendor to reduce the attack surface. Restrict access to the Craft control panel and the System Messages utility to only trusted administrators and limit the number of users with such privileges. Implement strong authentication and authorization controls, including multi-factor authentication for administrative accounts. Regularly audit user permissions and remove unnecessary access rights. Monitor logs for unusual Twig input or attempts to access the System Messages utility. Employ web application firewalls (WAFs) with rules to detect and block suspicious template injection patterns. Conduct regular security assessments and penetration tests focusing on CMS components. Finally, maintain a robust backup and incident response plan to recover quickly in case of compromise.