Product
An authenticated Remote Code Execution (RCE) vulnerability, CVE-2026-55794, affects Craft CMS versions 5.9.0 up to, but not including, 5.10.0, allowing a control panel user with entry editing permissions to exploit by injecting unsandboxed Twig code into the HTTP Referer header when saving an entry, leading to arbitrary code execution.