DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-55792: CVE-2026-55792: Sensitive File Disclosure in Craft CMS via Twig Sandbox Bypass

CVE-2026-55792: Sensitive File Disclosure in Craft CMS via Twig Sandbox Bypass

Vulnerability ID: CVE-2026-55792
CVSS Score: 6.0
Published: 2026-07-06

CVE-2026-55792 represents a sensitive file disclosure vulnerability in Craft CMS. The issue arises from the inclusion of the dataUrl() function in the Twig sandbox allowlist combined with incomplete path validation inside the underlying helper method. Attackers with low-privileged control panel access can exploit this flaw to read and exfiltrate the .env configuration file.

TL;DR

Low-privileged users with template customizer access can read sensitive local files like .env using a sandbox bypass, leading to full database credential and security key compromise.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200
  • Attack Vector: Network
  • CVSS 4.0 Score: 6.0
  • EPSS Score: 0.00268
  • Impact: Sensitive Information Disclosure / Local File Read
  • Exploit Status: PoC in technical advisories
  • CISA KEV Status: Not Listed

Affected Systems

  • Craft CMS 4.x
  • Craft CMS 5.x
  • Craft CMS: >= 4.0.0-RC1, < 4.18.0 (Fixed in: 4.18.0)
  • Craft CMS: >= 5.0.0-RC1, < 5.10.0 (Fixed in: 5.10.0)

Exploit Details

Mitigation Strategies

  • Upgrade Craft CMS to versions 4.18.0, 5.10.0, or newer.
  • Revoke the 'utility:system-messages' permission from non-administrative users.
  • Manually modify twig-sandbox.php config to strip the dataUrl function.

Remediation Steps:

  1. Run 'composer update craftcms/cms' to pull the latest security release.
  2. Verify the installation of version 4.18.0+ or 5.10.0+.
  3. Inspect the database table 'systemmessages' for any unauthorized template injections containing 'dataUrl'.

References


Read the full report for CVE-2026-55792 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)