CVE Catalog

CVE-2026-55794

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile — higher than 21% of all known CVEs

Summary

Craft CMS versions 5.9.0 through 5.10.0 contain a vulnerability where control panel users with entry editing permissions can execute unsandboxed Twig code via the HTTP Referrer header, leading to authenticated remote code execution (RCE). The issue occurs when saving entries, as the signed redirect URL string is compiled as a Twig template without sandboxing.

Risk Assessment

An attacker with editor privileges can execute arbitrary Twig code, potentially gaining full control over the CMS server and compromising the entire infrastructure.

Recommendation

Immediately upgrade Craft CMS to version 5.10.0 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior to 5.10.0, control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header, potentially leading to authenticated RCE. The issue happens when a user is saving entries. Strings for a signed redirect URL are being compiled as a Twig template via renderObjectTemplate(), and while a sandboxed alternative already exists (renderSandboxedObjectTemplate()), it is not used in this case. This signed URL can be specified by users, as it is reflected in the “Referer” HTTP request header, which is under attacker control. This issue has been fixed in version 5.10.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS