{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/authenticated-rce/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-55794"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Craft CMS (\u003e= 5.9.0, \u003c 5.10.0)"],"_cs_severities":["high"],"_cs_tags":["rce","web-application","craft-cms","cve","authenticated-rce"],"_cs_type":"advisory","_cs_vendors":["craftcms"],"content_html":"\u003cp\u003eA high-severity authenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-55794, has been identified in Craft CMS versions 5.9.0 through 5.9.x. The flaw allows authenticated control panel users who possess permissions to edit entries to execute arbitrary Twig code on the underlying server. This occurs because the platform incorrectly processes user-controlled data within the HTTP \u003ccode\u003eReferer\u003c/code\u003e header as an unsandboxed Twig template during the entry-saving process. Attackers can manipulate this header to inject malicious Twig code, bypassing intended sandboxing mechanisms and achieving full RCE. The vulnerability is considered critical for affected installations as it grants server-level control to a compromised or malicious authenticated user. The issue has been addressed in Craft CMS 5.10.0, and immediate patching is recommended for all affected instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains or possesses authenticated access to the Craft CMS control panel with permissions to edit entries.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a process to save an existing entry or create a new one within the Craft CMS control panel.\u003c/li\u003e\n\u003cli\u003ePrior to sending the save request, the attacker intercepts or crafts the HTTP request, specifically manipulating the \u003ccode\u003eReferer\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious, unsandboxed Twig code into the \u003ccode\u003eReferer\u003c/code\u003e header's value, designed to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eCraft CMS processes the \u003ccode\u003eReferer\u003c/code\u003e header value as part of generating a signed redirect URL, inadvertently compiling the attacker-controlled string as an unsandboxed Twig template using \u003ccode\u003erenderObjectTemplate()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected malicious Twig code is executed by the server-side template engine, leading to arbitrary command execution on the host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-55794 grants an authenticated attacker full Remote Code Execution (RCE) on the server hosting Craft CMS. This can lead to complete compromise of the web server and its associated data. Impact includes, but is not limited to, data exfiltration, website defacement, installation of backdoors, further lateral movement within the network, and complete system takeover. Organizations in any sector using affected Craft CMS versions are at risk of significant operational disruption and data breaches if this vulnerability is exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update Craft CMS to version 5.10.0 or higher to patch CVE-2026-55794.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to your SIEM to detect attempts at Twig injection via the \u003ccode\u003eReferer\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eEnsure web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e) are configured to capture full HTTP request headers, especially the \u003ccode\u003eReferer\u003c/code\u003e header, for effective detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T21:38:43Z","date_published":"2026-07-06T21:38:43Z","id":"https://feed.craftedsignal.io/briefs/2026-07-craft-cms-rce/","summary":"An authenticated Remote Code Execution (RCE) vulnerability, CVE-2026-55794, affects Craft CMS versions 5.9.0 up to, but not including, 5.10.0, allowing a control panel user with entry editing permissions to exploit by injecting unsandboxed Twig code into the HTTP Referer header when saving an entry, leading to arbitrary code execution.","title":"Craft CMS Authenticated RCE (CVE-2026-55794) via Referer Header Twig Injection","url":"https://feed.craftedsignal.io/briefs/2026-07-craft-cms-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Authenticated-Rce","version":"https://jsonfeed.org/version/1.1"}