CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS
Vulnerability ID: CVE-2026-55794
CVSS Score: 8.7
Published: 2026-07-06
Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.
TL;DR
An authenticated remote code execution vulnerability in Craft CMS allows users with entry editing permissions to execute arbitrary system commands by injecting Twig template payloads into the HTTP Referer header during post-save redirects.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-1336 / CWE-94
- Attack Vector: Network (Authenticated)
- CVSS Score: 8.7 (High)
- EPSS Score: 0.00293 (Percentile: 21.12%)
- Impact: Full Unsandboxed Remote Code Execution (RCE)
- Exploit Status: PoC / Highly Exploitable
- KEV Status: Not listed
Affected Systems
- Craft CMS
-
Craft CMS: >= 5.9.0, < 5.10.0 (Fixed in:
5.10.0)
Exploit Details
- GitHub Security Advisory: Vulnerability disclosure detailing the template injection mechanism and remediation steps.
Mitigation Strategies
- Upgrade Craft CMS instances to version 5.10.0 or higher.
- Implement Web Application Firewall (WAF) rules to inspect and sanitize the Referer HTTP header on control panel endpoints.
- Deploy intrusion detection rules to flag anomalous characters like curly braces in HTTP Referer headers targeting elements/save-entry actions.
Remediation Steps:
- Run 'composer update craftcms/cms' to update the application to version 5.10.0 or newer.
- Verify the update by checking that the returnUrl parameter contains cryptographically signed hashes in control panel links.
- Perform a log audit on web server access logs for historic POST requests containing Twig patterns in the Referer header.
References
- Craft CMS Security Advisory GHSA-f74w-488g-8x5r
- Craft CMS Pull Request #18680
- CVE-2026-55794 Official CVE Record
- NVD Vulnerability Page for CVE-2026-55794
Read the full report for CVE-2026-55794 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)