CVE-2026-31857: Authenticated Remote Code Execution in Craft CMS via Server-Side Template Injection
Vulnerability ID: CVE-2026-31857
CVSS Score: 8.1
Published: 2026-03-11
Craft CMS versions 4.x and 5.x are vulnerable to a high-severity Server-Side Template Injection (SSTI) flaw. Authenticated attackers with minimal Control Panel permissions can execute arbitrary PHP code. The vulnerability exists in the processing of relational condition rules within the element index and search functionalities.
TL;DR
Authenticated users can achieve Remote Code Execution in Craft CMS by injecting malicious Twig payloads into relational condition rules, bypassing production security restrictions.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-94
- CVSS 4.0 Score: 8.1
- Attack Vector: Network
- Authentication Required: Yes
- Exploit Status: Proof of Concept
- KEV Listed: No
Affected Systems
- Craft CMS 4
- Craft CMS 5
-
Craft CMS 5: >= 5.0.0-RC1, < 5.9.9 (Fixed in:
5.9.9) -
Craft CMS 4: >= 4.0.0-beta.1, < 4.17.4 (Fixed in:
4.17.4)
Code Analysis
Commit: 8d49036
Fix Commit for Craft CMS 5.x
Commit: ae6b45e
Fix Commit for Craft CMS 4.x
Mitigation Strategies
- Upgrade Craft CMS installations to the latest patched versions.
- Restrict Control Panel access to highly trusted personnel.
- Deploy WAF rules to intercept POST payloads containing Twig syntax targeting index endpoints.
Remediation Steps:
- Backup the Craft CMS database and application files.
- Update Craft CMS to version 5.9.9 or 4.17.4 via Composer (
composer update craftcms/cms). - Verify the application functionality post-update.
- Audit the Control Panel user list and remove unnecessary accounts.
References
- NVD Record: CVE-2026-31857
- GitHub Advisory: GHSA-fp5j-j7j4-mcxc
- Fix Commit (5.x)
- Fix Commit (4.x)
- Craft CMS Changelog
Read the full report for CVE-2026-31857 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)