Craft CMS Server-Side Template Injection Vulnerability Leading to Authenticated Remote Code Execution

A vulnerability allowing authenticated remote code execution has been identified in Craft CMS versions 5.8.7 prior to 5.9.0-beta.1 and 4.0.0-RC1 prior to 4.17.0-beta.1. This issue arises from server-side template injection via the 'create()' Twig function, which can be exploited using a Symfony Process gadget chain. The 'create()' function allows the instantiation of arbitrary PHP classes, which, when combined with the symfony/process dependency, enables remote code execution. This vulnerability bypasses a previous fix for CVE-2025-57811.

Impact

Exploitation of this vulnerability allows authenticated users with admin privileges to execute arbitrary code on the server, with the execution context of the web server user. In default Docker installations, this could lead to a full server compromise.

Reproduction

To reproduce this vulnerability, log in to the Craft CMS admin panel as a user with admin privileges. Navigate to 'Settings' and then 'Entry Types'. Select any entry type to edit and locate the 'Title Format' field. Insert a payload that utilizes the 'create()' Twig function to instantiate a Symfony Process object. After saving the entry type, create or edit an entry of that type. The injected command will execute, and its output will appear in the entry title.

Remediation

Users can update to Craft CMS versions 5.9.0-beta.1 or 4.17.0-beta.1, where this vulnerability has been patched.