Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Craft CMS Improper Neutralization of Special Elements Used in a Template Engine Vulnerability - CVE-2026-28697 - Vulnerability Database
Craft CMS

Craft CMS Improper Neutralization of Special Elements Used in a Template Engine Vulnerability - CVE-2026-28697

Critical
Reference: CVE-2026-28697
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-28697
Title: Craft CMS Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
Overview:

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1 an authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields (e.g. Email Templates). By calling the craft.app.fs.write() method an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via the browser to execute arbitrary system commands. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.