{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/twig/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-4257"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ssti","wordpress","rce","twig"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Contact Form by Supsystic plugin, a popular WordPress plugin, is susceptible to a critical Server-Side Template Injection (SSTI) vulnerability, identified as CVE-2026-4257. This vulnerability affects all versions up to and including 1.7.36. The root cause lies in the plugin\u0026rsquo;s use of the Twig template engine (\u003ccode\u003eTwig_Loader_String\u003c/code\u003e) without proper sandboxing. This, combined with the \u003ccode\u003ecfsPreFill\u003c/code\u003e functionality, allows unauthenticated attackers to inject arbitrary Twig expressions into form…\u003c/p\u003e\n","date_modified":"2026-03-30T22:16:20Z","date_published":"2026-03-30T22:16:20Z","id":"/briefs/2026-03-ssti-wordpress/","summary":"The Contact Form by Supsystic WordPress plugin is vulnerable to Server-Side Template Injection (SSTI) via the `cfsPreFill` parameter, leading to unauthenticated Remote Code Execution (RCE).","title":"Contact Form by Supsystic WordPress Plugin SSTI Vulnerability (CVE-2026-4257)","url":"https://feed.craftedsignal.io/briefs/2026-03-ssti-wordpress/"}],"language":"en","title":"CraftedSignal Threat Feed — Twig","version":"https://jsonfeed.org/version/1.1"}