Threat Advisory

Craft CMS Vulnerability Enables Remote Code Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Craft CMS (composer/craftcms/cms) affecting versions 5.9.0 through 5.9.22, 5.0.0‑RC1 through 5.9.22, and earlier 4.x releases up to 4.17.15. The issues span remote code execution, stored cross‑site scripting, DOM‑based XSS, and sensitive file disclosure. An authenticated attacker can execute arbitrary Twig code via the Referrer header, while lower‑privilege users can inject malicious JavaScript into entry titles or GitHub issue titles that run in admin sessions. Additionally, privileged utility users can read arbitrary files, including the .env file, exposing credentials. Exploitation could lead to full system compromise, data theft, and unauthorized administrative actions.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Craft CMS (composer/craftcms/cms) affecting versions 5.9.0 through 5.9.22, 5.0.0‑RC1 through 5.9.22, and earlier 4.x releases up to 4.17.15. The issues span remote code execution, stored cross‑site scripting, DOM‑based XSS, and sensitive file disclosure. An authenticated attacker can execute arbitrary Twig code via the Referrer header, while lower‑privilege users can inject malicious JavaScript into entry titles or GitHub issue titles that run in admin sessions. Additionally, privileged utility users can read arbitrary files, including the .env file, exposing credentials. Exploitation could lead to full system compromise, data theft, and unauthorized administrative actions.[emaillocker id="1283"]

  • CVE-2026-55794 with a CVSS score of 7.5 – An authenticated control‑panel user with entry‑edit permission can supply a crafted Referrer header that is compiled as unsandboxed Twig, enabling remote code execution; the attacker needs only a standard user account with edit rights.
  • CVE-2026-55793 with a CVSS score of 5.5 – An author‑level user can store a JavaScript payload in an entry title; when an admin drags another entry under the poisoned entry in table view, the script runs in the admin’s session, requiring the victim to perform the drag action.
  • CVE-2026-55792 with a CVSS score of 5.5 – A user granted the utility:system‑messages permission can embed the dataUrl() function in system email templates to read arbitrary files such as the .env file, exfiltrating sensitive configuration data.
  • CVE-2026-55790 with a CVSS score of 7.5 – Anyone with a GitHub account can create an issue with a malicious title; when a Craft admin uses the CraftSupport widget’s search, the title is rendered without sanitisation, resulting in DOM‑based XSS that executes in the admin’s control‑panel session.

These vulnerabilities collectively provide attackers with avenues to execute code, steal confidential files, and hijack administrator sessions across Craft CMS installations. Because exploitation can be achieved with minimal privileges and may lead to full system takeover and data breach, rapid assessment and remediation are essential to protect business continuity and customer trust.

RECOMMENDATION:

  • We recommend you to update Craft CMS to version 5.10.0. We recommend you to update Craft CMS to version 5.9.53. We recommend you to update Craft CMS to version 4.18.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-f74w-488g-8x5r
https://github.com/advisories/GHSA-xrqc-p465-2xvg
https://github.com/advisories/GHSA-287w-mxq6-x2cp
https://github.com/advisories/GHSA-24x4-j6x9-rfw5

[/emaillocker]
crossmenu