Jul 7, 2026·6 min read·3 visits
An authenticated remote code execution vulnerability in Craft CMS allows users with entry editing permissions to execute arbitrary system commands by injecting Twig template payloads into the HTTP Referer header during post-save redirects.
Craft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.
Craft CMS version 5.9.0 introduced a referrer-based redirect mechanism designed to return administrative users to their original entry index page after updating elements in the Control Panel. This mechanism trusted the client-supplied HTTP Referer header, exposing an unintended entry point for template injection.
This security weakness is classified under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine), which cascades into CWE-94 (Improper Control of Generation of Code). When an authorized user executes an element save action, the application processes the client's HTTP Referer header through an unsandboxed Twig template rendering routine.
An attacker who has permissions to edit at least one entry type can exploit this vector to execute arbitrary system commands on the host server. The attack surface is limited to authenticated control panel users, but because any element editor can trigger it, the risk of privilege escalation and full server takeover remains severe.
The root cause of this vulnerability lies in the implementation of the post-save redirect resolution inside src/controllers/ElementsController.php. When an entry is successfully updated, the controller resolves the destination URL using a prioritized sequence: first checking for a signed returnUrl query parameter, falling back to UrlHelper::cpReferralUrl(), and finally defaulting to the standard post-edit URL.
The helper function UrlHelper::cpReferralUrl() directly retrieves the raw HTTP Referer request header without validation or sanitization. Since HTTP headers are entirely client-controlled, any string, including specialized Twig template expressions, can be injected into this value by an attacker.
Once the controller obtains this unchecked referrer string, it passes it to the getPostedRedirectUrl() method in the base controller class src/web/Controller.php. This method attempts to evaluate dynamic placeholders inside the URL string using renderObjectTemplate(). Because renderObjectTemplate() evaluates input in an unsandboxed state, the Twig engine compiles and executes any embedded expressions, leading to remote code execution.
To understand the core flaw, it is necessary to examine the differences between the vulnerable implementation and the remediation introduced in version 5.10.0. The vulnerable code in ElementsController.php did not validate whether the redirect URL was cryptographically signed before executing template rendering. It blindly fell back to the referrer header:
// Vulnerable redirect resolution logic
$redirectUrl = $this->request->getValidatedQueryParam('returnUrl') ?? UrlHelper::cpReferralUrl() ?? ElementHelper::postEditUrl($element);The remediation implemented in Pull Request #18680 entirely deprecates UrlHelper::cpReferralUrl() and strictly mandates signature verification for any custom returnUrl containing template syntax:
// Patched logic in ElementsController.php
$redirectUrl = $this->request->getQueryParam('returnUrl');
if ($redirectUrl) {
// Validate cryptographic signature
$validated = Craft::$app->getSecurity()->validateData($redirectUrl);
if ($validated !== false) {
$redirectUrl = $validated;
} elseif (str_contains($redirectUrl, '{')) {
// Reject raw template expressions
throw new BadRequestHttpException("Invalid returnUrl param: $redirectUrl");
}
} else {
$redirectUrl = ElementHelper::postEditUrl($element);
}This defensive design is highly complete. By verifying the cryptographic signature of the template-containing parameter, the server ensures that only internally generated templates are compiled. Any untrusted, user-supplied templates will fail validation and trigger a BadRequestHttpException before reaching the execution phase.
Exploitation of CVE-2026-55794 requires the attacker to possess an active session on the Craft CMS Control Panel. The session must belong to an account authorized to edit elements, such as entries, assets, or categories. This prerequisite makes the vulnerability highly relevant to multi-tenant environments or sites with multiple content editors.
To execute the attack, the adversary prepares a standard HTTP POST request directed to the entry-saving endpoint, typically actions/entries/save-entry. During this request, the attacker modifies the standard Referer header to include an unsandboxed Twig payload. The payload leverages filters such as filter or map mapped to standard PHP system execution functions like system or exec.
POST /index.php?p=admin/actions/entries/save-entry HTTP/1.1
Host: target.local
Authorization: Bearer <session_token>
Referer: http://target.local/admin/entries/pages?r={{['uname -a']|map('system')|join}}
Content-Type: application/x-www-form-urlencoded
... (POST Data) ...When the server processes the post-save redirect sequence, it falls back to the malicious Referer header value. The server compiles this header value using the unsandboxed Twig rendering function, leading to the immediate execution of the command uname -a on the host operating system. The output of the command may be rendered in the subsequent redirection response or executed out-of-band depending on the environment context.
The security impact of CVE-2026-55794 is classified as high, reflected by its CVSS v4.0 base score of 8.7. The vulnerability receives high impact ratings across all primary dimensions: Confidentiality, Integrity, and Availability (VC:H/VI:H/VA:H). Because the injection results in remote command execution, the attacker effectively inherits the operational privileges of the underlying web server user account (e.g., www-data or apache).
With command execution privileges, an attacker can read sensitive configuration files, including database credentials stored in the .env file, and completely compromise the backend database. This database access can then be leveraged to extract customer data, administrative session cookies, or proprietary assets. Additionally, the attacker can write files to the webroot to establish persistent backdoors or web shells, guaranteeing continued access even after the session expires.
While the vulnerability requires authentication, the low privilege level required (element editor) increases the risk of insider threats and privilege escalation. If an external attacker compromises a lower-privileged account via credential stuffing or phishing, they can immediately elevate their access to full system-level control by triggering this flaw.
The primary recommendation to mitigate CVE-2026-55794 is to upgrade the Craft CMS installation to version 5.10.0 or later. This version contains the official security patch, which eliminates the use of the client-controlled Referer header and enforces rigorous cryptographic signature verification on the returnUrl query parameter.
In scenarios where an immediate upgrade is not feasible, temporary mitigation strategies must be applied. Web Application Firewalls (WAFs) should be configured with custom rules to inspect the Referer header of incoming HTTP requests targeting control panel actions. The rule should reject any requests containing curly braces ({ or }) or known Twig syntax elements directed at administrative endpoints.
Additionally, system administrators should audit control panel user permissions to ensure that only trusted individuals have permission to edit entries or elements. System activity and web server access logs should be monitored for unexpected or malformed Referer headers containing non-alphanumeric patterns, which are indicative of exploitation attempts.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L| Product | Affected Versions | Fixed Version |
|---|---|---|
Craft CMS Craft CMS | >= 5.9.0, < 5.10.0 | 5.10.0 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-1336 / CWE-94 |
| Attack Vector | Network (Authenticated) |
| CVSS Score | 8.7 (High) |
| EPSS Score | 0.00293 (Percentile: 21.12%) |
| Impact | Full Unsandboxed Remote Code Execution (RCE) |
| Exploit Status | PoC / Highly Exploitable |
| KEV Status | Not listed |
The application fails to neutralize or improperly neutralizes special elements that are used in template engine expressions.
An access control deficiency in the 9Router dashboard allows unauthenticated remote attackers to perform full CRUD operations on integrated AI providers, extract plaintext API keys, and access complete system conversation histories.
A DOM-based cross-site scripting (XSS) vulnerability exists in Craft CMS versions 4.0.0-RC1 through 4.17.15 and 5.0.0-RC1 through 5.9.22. The flaw resides within the CraftSupport widget's feedback search component, which fails to neutralize GitHub issue titles before rendering them into the administrator's control panel. An unauthenticated attacker can exploit this vulnerability by submitting a crafted issue to the public Craft CMS repository on GitHub.
CVE-2026-55793 is a DOM-based Stored Cross-Site Scripting (XSS) vulnerability affecting Craft CMS versions 5.0.0-RC1 through 5.9.22. An authenticated user with minimum Author privileges can store a malicious payload in an entry's title. When an administrator or high-privileged user performs a drag-and-drop operation under the modified entry in the structure table view, the unescaped payload is retrieved and concatenated into raw HTML, resulting in arbitrary JavaScript execution within the context of the administrative session.
An authenticated SQL injection vulnerability exists in the datapoint crosstab export functionality of OpenRemote. The vulnerability is caused by insecure manual SQL string construction that concatenates user-controlled display data, specifically asset display names and attribute names, directly into raw SQL statements. These statements are processed by the PostgreSQL database engine using the crosstab function to structure dynamic CSV outputs.
An insecure redirect vulnerability in Coder allows an authenticated attacker who controls a workspace agent to perform unauthorized cross-agent file operations and achieve remote code execution in other workspaces. By exploiting default redirect-following behavior in the control-plane's HTTP client, a malicious agent can redirect legitimate requests to a victim's deterministic tailnet IP address.
CVE-2026-35341 is a high-severity vulnerability in the mkfifo utility of uutils coreutils, involving a logic-flow bypass and a TOCTOU race condition that permits unauthorized file permission degradation and privilege escalation.