CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-55794

CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 7, 2026·6 min read·3 visits

Executive Summary (TL;DR)

An authenticated remote code execution vulnerability in Craft CMS allows users with entry editing permissions to execute arbitrary system commands by injecting Twig template payloads into the HTTP Referer header during post-save redirects.

Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.

Vulnerability Overview

Craft CMS version 5.9.0 introduced a referrer-based redirect mechanism designed to return administrative users to their original entry index page after updating elements in the Control Panel. This mechanism trusted the client-supplied HTTP Referer header, exposing an unintended entry point for template injection.

This security weakness is classified under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine), which cascades into CWE-94 (Improper Control of Generation of Code). When an authorized user executes an element save action, the application processes the client's HTTP Referer header through an unsandboxed Twig template rendering routine.

An attacker who has permissions to edit at least one entry type can exploit this vector to execute arbitrary system commands on the host server. The attack surface is limited to authenticated control panel users, but because any element editor can trigger it, the risk of privilege escalation and full server takeover remains severe.

Root Cause Analysis

The root cause of this vulnerability lies in the implementation of the post-save redirect resolution inside src/controllers/ElementsController.php. When an entry is successfully updated, the controller resolves the destination URL using a prioritized sequence: first checking for a signed returnUrl query parameter, falling back to UrlHelper::cpReferralUrl(), and finally defaulting to the standard post-edit URL.

The helper function UrlHelper::cpReferralUrl() directly retrieves the raw HTTP Referer request header without validation or sanitization. Since HTTP headers are entirely client-controlled, any string, including specialized Twig template expressions, can be injected into this value by an attacker.

Once the controller obtains this unchecked referrer string, it passes it to the getPostedRedirectUrl() method in the base controller class src/web/Controller.php. This method attempts to evaluate dynamic placeholders inside the URL string using renderObjectTemplate(). Because renderObjectTemplate() evaluates input in an unsandboxed state, the Twig engine compiles and executes any embedded expressions, leading to remote code execution.

Code Analysis & Patch Assessment

To understand the core flaw, it is necessary to examine the differences between the vulnerable implementation and the remediation introduced in version 5.10.0. The vulnerable code in ElementsController.php did not validate whether the redirect URL was cryptographically signed before executing template rendering. It blindly fell back to the referrer header:

// Vulnerable redirect resolution logic
$redirectUrl = $this->request->getValidatedQueryParam('returnUrl') ?? UrlHelper::cpReferralUrl() ?? ElementHelper::postEditUrl($element);

The remediation implemented in Pull Request #18680 entirely deprecates UrlHelper::cpReferralUrl() and strictly mandates signature verification for any custom returnUrl containing template syntax:

// Patched logic in ElementsController.php
$redirectUrl = $this->request->getQueryParam('returnUrl');
if ($redirectUrl) {
    // Validate cryptographic signature
    $validated = Craft::$app->getSecurity()->validateData($redirectUrl);
    if ($validated !== false) {
        $redirectUrl = $validated;
    } elseif (str_contains($redirectUrl, '{')) {
        // Reject raw template expressions
        throw new BadRequestHttpException("Invalid returnUrl param: $redirectUrl");
    }
} else {
    $redirectUrl = ElementHelper::postEditUrl($element);
}

This defensive design is highly complete. By verifying the cryptographic signature of the template-containing parameter, the server ensures that only internally generated templates are compiled. Any untrusted, user-supplied templates will fail validation and trigger a BadRequestHttpException before reaching the execution phase.

Exploit Methodology and Attack Vector

Exploitation of CVE-2026-55794 requires the attacker to possess an active session on the Craft CMS Control Panel. The session must belong to an account authorized to edit elements, such as entries, assets, or categories. This prerequisite makes the vulnerability highly relevant to multi-tenant environments or sites with multiple content editors.

To execute the attack, the adversary prepares a standard HTTP POST request directed to the entry-saving endpoint, typically actions/entries/save-entry. During this request, the attacker modifies the standard Referer header to include an unsandboxed Twig payload. The payload leverages filters such as filter or map mapped to standard PHP system execution functions like system or exec.

POST /index.php?p=admin/actions/entries/save-entry HTTP/1.1
Host: target.local
Authorization: Bearer <session_token>
Referer: http://target.local/admin/entries/pages?r={{['uname -a']|map('system')|join}}
Content-Type: application/x-www-form-urlencoded
 
... (POST Data) ...

When the server processes the post-save redirect sequence, it falls back to the malicious Referer header value. The server compiles this header value using the unsandboxed Twig rendering function, leading to the immediate execution of the command uname -a on the host operating system. The output of the command may be rendered in the subsequent redirection response or executed out-of-band depending on the environment context.

Security Impact Assessment

The security impact of CVE-2026-55794 is classified as high, reflected by its CVSS v4.0 base score of 8.7. The vulnerability receives high impact ratings across all primary dimensions: Confidentiality, Integrity, and Availability (VC:H/VI:H/VA:H). Because the injection results in remote command execution, the attacker effectively inherits the operational privileges of the underlying web server user account (e.g., www-data or apache).

With command execution privileges, an attacker can read sensitive configuration files, including database credentials stored in the .env file, and completely compromise the backend database. This database access can then be leveraged to extract customer data, administrative session cookies, or proprietary assets. Additionally, the attacker can write files to the webroot to establish persistent backdoors or web shells, guaranteeing continued access even after the session expires.

While the vulnerability requires authentication, the low privilege level required (element editor) increases the risk of insider threats and privilege escalation. If an external attacker compromises a lower-privileged account via credential stuffing or phishing, they can immediately elevate their access to full system-level control by triggering this flaw.

Remediation and Detection Strategies

The primary recommendation to mitigate CVE-2026-55794 is to upgrade the Craft CMS installation to version 5.10.0 or later. This version contains the official security patch, which eliminates the use of the client-controlled Referer header and enforces rigorous cryptographic signature verification on the returnUrl query parameter.

In scenarios where an immediate upgrade is not feasible, temporary mitigation strategies must be applied. Web Application Firewalls (WAFs) should be configured with custom rules to inspect the Referer header of incoming HTTP requests targeting control panel actions. The rule should reject any requests containing curly braces ({ or }) or known Twig syntax elements directed at administrative endpoints.

Additionally, system administrators should audit control panel user permissions to ensure that only trusted individuals have permission to edit entries or elements. System activity and web server access logs should be monitored for unexpected or malformed Referer headers containing non-alphanumeric patterns, which are indicative of exploitation attempts.

Official Patches

Craft CMSPull Request #18680 containing the cryptographic verification patch and helper deprecations.

Technical Appendix

CVSS Score
8.7/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
EPSS Probability
0.29%
Top 79% most exploited

Affected Systems

Craft CMS

Affected Versions Detail

Product
Affected Versions
Fixed Version
Craft CMS
Craft CMS
>= 5.9.0, < 5.10.05.10.0
AttributeDetail
CWE IDCWE-1336 / CWE-94
Attack VectorNetwork (Authenticated)
CVSS Score8.7 (High)
EPSS Score0.00293 (Percentile: 21.12%)
ImpactFull Unsandboxed Remote Code Execution (RCE)
Exploit StatusPoC / Highly Exploitable
KEV StatusNot listed

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter
Execution
T1203Exploitation for Client Execution
Execution
CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine

The application fails to neutralize or improperly neutralizes special elements that are used in template engine expressions.

Known Exploits & Detection

GitHub Security AdvisoryVulnerability disclosure detailing the template injection mechanism and remediation steps.

Vulnerability Timeline

Official Security Advisory GHSA-f74w-488g-8x5r published by Craft CMS
2026-07-01
Patch Pull Request #18680 merged and Craft CMS 5.10.0 released
2026-07-01
CVE-2026-55794 published via CVE.org
2026-07-01
NVD database record generated
2026-07-02

References & Sources

  • [1]Craft CMS Security Advisory GHSA-f74w-488g-8x5r
  • [2]Craft CMS Pull Request #18680
  • [3]CVE-2026-55794 Official CVE Record
  • [4]NVD Vulnerability Page for CVE-2026-55794

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•14 minutes ago•GHSA-VJC7-JRH9-9J86
10.0

Unauthenticated CRUD and Sensitive Data Exposure in 9Router API Endpoints

An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.

Amit Schendel
Amit Schendel
1 views•5 min read
•about 1 hour ago•CVE-2026-55790
7.4

CVE-2026-55790: DOM-Based Cross-Site Scripting in Craft CMS Support Widget

A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.

Alon Barad
Alon Barad
0 views•7 min read
•about 1 hour ago•CVE-2026-55793
5.9

CVE-2026-55793: Stored DOM-Based Cross-Site Scripting in Craft CMS ElementTableSorter

CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.

Alon Barad
Alon Barad
1 views•8 min read
•about 2 hours ago•GHSA-CGFV-JRFP-2R7V
8.5

GHSA-cgfv-jrfp-2r7v: Authenticated SQL Injection in OpenRemote Datapoint Crosstab Export

An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.

Amit Schendel
Amit Schendel
2 views•5 min read
•about 3 hours ago•GHSA-QRWJ-VH9X-GW5V
8.0

GHSA-QRWJ-VH9X-GW5V: Cross-Agent Server-Side Request Forgery and Remote Code Execution in Coder Workspace Agent

An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.

Amit Schendel
Amit Schendel
3 views•5 min read
•about 3 hours ago•CVE-2026-35341
7.1

CVE-2026-35341: Local Privilege Escalation and Permission Degradation in uutils coreutils mkfifo

CVE-2026-35341 is a high-severity vulnerability in the mkfifo utility of uutils coreutils, involving a logic-flow bypass and a TOCTOU race condition that permits unauthorized file permission degradation and privilege escalation.

Alon Barad
Alon Barad
3 views•7 min read