Skip to content

Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget

Moderate
angrybrad published GHSA-94rc-cqvm-m4pw Mar 2, 2026

Package

composer craftcms/cms (Composer)

Affected versions

>= 5.8.7, < 5.9.0-beta.1
>= 4.0.0-RC1, < 4.17.0-beta.1

Patched versions

5.9.0-beta.1
4.17.0-beta.1

Description

There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create() Twig function combined with a Symfony Process gadget chain.

This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).

Required Permissions

  • Administrator permissions or access to System Messages utility
  • allowAdminChanges enabled in production (against our security recommendations) or access to System Messages utility

Vulnerability Details

The create() Twig function exposes Craft::createObject(), which allows instantiation of arbitrary PHP classes with constructor arguments. Combined with the bundled symfony/process dependency, this enables RCE.

Attack Vector

Admin panel → Settings → Entry Types → Title Format field

Proof of Concept Payload

{% set p = create("Symfony\\Component\\Process\\Process", [["id"]])
%}{{ p.mustRun.getOutput }}

Steps to Reproduce

  1. Log in as admin
  2. Navigate to Settings → Entry Types
  3. Edit any entry type’s "Title Format" field
  4. Insert the payload above
  5. Create/edit an entry of that type
  6. Command executes, output appears in entry title

Impact

  • Authenticated Remote Code Execution
  • Runs as web server user (root in default Docker setup)
  • Full server compromise

Root Cause

Craft::createObject() allows the instantiation of any class, including
Symfony\Component\Process\Process, which executes shell commands.

Suggested Fix

  • Blocklist dangerous classes in createObject() when called from Twig
  • Or remove/restrict the create() Twig function
  • Or validate class names against an allowlist

References

e31e508

Severity

Moderate

CVE ID

CVE-2026-28695

Weaknesses

No CWEs

Credits