Primary

Context

Craft CMS Remote Code Execution Vulnerability via Twig Template Injection

Vulnerability

Patched

A remote code execution vulnerability has been identified in Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. This vulnerability arises from authenticated remote code execution potential through Twig server-side template injection. Exploitation requires administrator access to the Craft Control Panel with the 'allowAdminChanges' setting enabled, contrary to recommended practices for non-development environments. Alternatively, a non-administrator account can be used if it has access to the System Messages utility, allowing the crafting of a malicious payload using the Twig 'map' filter in text fields that accept Twig input under Settings or through the System Messages utility.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the server where Craft CMS is hosted.

Remediation

Users are advised to update to Craft CMS versions 5.8.21 or 4.16.17, where this vulnerability has been patched.

Added: Jan 5, 2026, 10:23 PM

Updated: Jan 5, 2026, 10:23 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

5.6

remediation

7.9

relevance

1.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

5.6

remediation

7.9

relevance

1.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Craft CMS Remote Code Execution Vulnerability via Twig Template Injection

Vulnerability

Impact

Remediation

Affected Products

Craft CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating