CVE-2026-28784 is a critical vulnerability in the Craft CMS platform caused by improper neutralization of special elements used in the Twig template engine (CWE-1336). Specifically, the flaw allows an attacker with administrator privileges and the allowAdminChanges setting enabled, or a non-administrator with access to the System Messages utility, to inject malicious payloads via the Twig map filter in text fields that accept Twig input. This injection leads to remote code execution (RCE), enabling attackers to execute arbitrary code on the server hosting the CMS. The vulnerability affects Craft CMS versions from 4.0.0-RC1 up to 4.17.0-beta.1 and 5.0.0-RC1 up to 5.9.0-beta.1. The root cause is insufficient sanitization and neutralization of special template elements, allowing crafted input to be interpreted and executed by the Twig engine. Exploitation does not require user interaction but does require elevated privileges or specific utility access, limiting the attack surface to some extent. The vulnerability was publicly disclosed in March 2026 with a CVSS 4.0 score of 8.6, indicating high severity due to network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits have been observed in the wild, but the risk remains significant for affected installations. The vendor recommends updating to patched versions 5.8.22 and 4.16.18 to remediate the issue.

The impact of CVE-2026-28784 is substantial for organizations using vulnerable versions of Craft CMS. Successful exploitation results in remote code execution, which can lead to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks. Confidentiality is at risk as attackers can access sensitive data stored or processed by the CMS. Integrity is compromised as attackers can modify content, configurations, or inject malicious code. Availability may be disrupted if attackers deploy destructive payloads or ransomware. Since the vulnerability requires administrator access or access to the System Messages utility, the threat is primarily internal or from compromised accounts, but the ease of exploitation under these conditions elevates the risk. Organizations running public-facing websites or critical infrastructure on Craft CMS are particularly vulnerable, potentially affecting brand reputation, customer trust, and regulatory compliance. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as proof-of-concept code may emerge. The vulnerability's high CVSS score reflects its potential for severe damage if exploited.

To mitigate CVE-2026-28784, organizations should immediately upgrade Craft CMS to versions 5.8.22 or 4.16.18 or later, which contain the necessary patches. Additionally, organizations should adhere strictly to the vendor's recommendation to disable allowAdminChanges in all non-development environments to reduce the attack surface. Access controls should be reviewed and tightened to limit administrator and System Messages utility access only to trusted personnel. Implementing multi-factor authentication (MFA) for all CMS accounts with elevated privileges can reduce the risk of account compromise. Regularly audit CMS user roles and permissions to detect and remove unnecessary privileges. Monitoring and logging of CMS control panel activities should be enhanced to detect suspicious behavior indicative of exploitation attempts. Employ web application firewalls (WAFs) with rules targeting known Craft CMS vulnerabilities and suspicious Twig template payloads. Finally, conduct periodic security assessments and penetration testing focused on CMS components to identify and remediate potential weaknesses proactively.