DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-55794: CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS

CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS

Vulnerability ID: CVE-2026-55794
CVSS Score: 8.7
Published: 2026-07-06

Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.

TL;DR

An authenticated remote code execution vulnerability in Craft CMS allows users with entry editing permissions to execute arbitrary system commands by injecting Twig template payloads into the HTTP Referer header during post-save redirects.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1336 / CWE-94
  • Attack Vector: Network (Authenticated)
  • CVSS Score: 8.7 (High)
  • EPSS Score: 0.00293 (Percentile: 21.12%)
  • Impact: Full Unsandboxed Remote Code Execution (RCE)
  • Exploit Status: PoC / Highly Exploitable
  • KEV Status: Not listed

Affected Systems

  • Craft CMS
  • Craft CMS: >= 5.9.0, < 5.10.0 (Fixed in: 5.10.0)

Exploit Details

Mitigation Strategies

  • Upgrade Craft CMS instances to version 5.10.0 or higher.
  • Implement Web Application Firewall (WAF) rules to inspect and sanitize the Referer HTTP header on control panel endpoints.
  • Deploy intrusion detection rules to flag anomalous characters like curly braces in HTTP Referer headers targeting elements/save-entry actions.

Remediation Steps:

  1. Run 'composer update craftcms/cms' to update the application to version 5.10.0 or newer.
  2. Verify the update by checking that the returnUrl parameter contains cryptographically signed hashes in control panel links.
  3. Perform a log audit on web server access logs for historic POST requests containing Twig patterns in the Referer header.

References


Read the full report for CVE-2026-55794 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)