Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-ejv9-c3hf-jfax
Summary
Craft CMS has Twig Function Blocklist Bypass
Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions.

In order to be able to successfully execute this attack, you need to either have `allowAdminChanges` enabled on production, or a compromised admin account, or an account with access to the System Messages utility.

Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs.

Twig has already deprecated this behavior, and it will eventually be removed from Twig altogether.

https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096

This has been resolved in Craft 4.17.0 and 5.9.0, which removes the blocklist and disables all non-Clousure arrow functions in Twig globally via the `enableTwigSandbox` config setting. That setting is enabled by default on all new Craft projects. Existing Craft projects will need to enable the config setting to take advantage of it.

Existing projects should update to the patched versions of 5.9.0 and 4.17.0 to mitigate the issue and enable the config setting.
Aliases
0
alias CVE-2026-28783
1
alias GHSA-5fvc-7894-ghp4
Fixed_packages
0
url pkg:composer/craftcms/cms@4.17.0-beta.1
purl pkg:composer/craftcms/cms@4.17.0-beta.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1
1
url pkg:composer/craftcms/cms@5.9.0-beta.1
purl pkg:composer/craftcms/cms@5.9.0-beta.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p4uy-hbad-k3c2
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1
Affected_packages
0
url pkg:composer/craftcms/cms@4.0.0-RC1
purl pkg:composer/craftcms/cms@4.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-27rw-tqt8-b3cw
1
vulnerability VCID-2re8-4twc-eqez
2
vulnerability VCID-33wy-gw8z-gud7
3
vulnerability VCID-3u81-kkt8-j7e7
4
vulnerability VCID-46sq-495d-fkay
5
vulnerability VCID-4zfr-4pgf-zke4
6
vulnerability VCID-51qg-ehr3-3qeu
7
vulnerability VCID-5h4n-14xc-uuf6
8
vulnerability VCID-5h73-3z9j-xqb8
9
vulnerability VCID-68jz-k8d5-u7dk
10
vulnerability VCID-6epu-syvm-d3ed
11
vulnerability VCID-7b71-dsva-cfan
12
vulnerability VCID-82fq-7xbq-pkd4
13
vulnerability VCID-bhy3-udjf-ykez
14
vulnerability VCID-ccwe-z8nr-3qhq
15
vulnerability VCID-ch5h-xzgt-6kgs
16
vulnerability VCID-ejv9-c3hf-jfax
17
vulnerability VCID-hn1f-f29s-g3bj
18
vulnerability VCID-j9n2-1u2k-ckc5
19
vulnerability VCID-jxub-yja7-2qhf
20
vulnerability VCID-jy6d-5zfh-7ycp
21
vulnerability VCID-kb8h-6rmc-wka1
22
vulnerability VCID-kts7-xtbb-tqgy
23
vulnerability VCID-m28c-yq43-a7cq
24
vulnerability VCID-mfvj-g7bk-h3hw
25
vulnerability VCID-mytj-88ea-73d9
26
vulnerability VCID-n648-rgev-bydr
27
vulnerability VCID-p9a4-4g1n-7qf4
28
vulnerability VCID-q1jg-5qq3-zkbv
29
vulnerability VCID-rnze-pnhe-abh4
30
vulnerability VCID-rrce-ncgp-qbcg
31
vulnerability VCID-tshq-ktbd-juak
32
vulnerability VCID-ttgr-49ur-z7aa
33
vulnerability VCID-u3cv-q3ft-qkhj
34
vulnerability VCID-upnk-thub-2fg1
35
vulnerability VCID-uzyt-dujv-nqh6
36
vulnerability VCID-vg28-8erb-27ae
37
vulnerability VCID-vwm6-qumh-ayd2
38
vulnerability VCID-w9cn-xgye-jber
39
vulnerability VCID-whnf-tybt-qqbf
40
vulnerability VCID-wj8y-tapy-p3f1
41
vulnerability VCID-wx6u-ss6p-3ue3
42
vulnerability VCID-xpq3-v9ts-x7es
43
vulnerability VCID-xysn-pqxv-hyds
44
vulnerability VCID-yn3x-km7n-d3hd
45
vulnerability VCID-z48z-h23a-5qag
46
vulnerability VCID-zebb-ngev-a7de
47
vulnerability VCID-zh94-u2by-xkg5
48
vulnerability VCID-zybg-fqev-eber
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.0.0-RC1
1
url pkg:composer/craftcms/cms@5.0.0-RC1
purl pkg:composer/craftcms/cms@5.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2re8-4twc-eqez
1
vulnerability VCID-33wy-gw8z-gud7
2
vulnerability VCID-3u81-kkt8-j7e7
3
vulnerability VCID-4k59-8u8b-mkc9
4
vulnerability VCID-4zfr-4pgf-zke4
5
vulnerability VCID-51qg-ehr3-3qeu
6
vulnerability VCID-5h4n-14xc-uuf6
7
vulnerability VCID-68jz-k8d5-u7dk
8
vulnerability VCID-6epu-syvm-d3ed
9
vulnerability VCID-76vz-cxx8-z7fc
10
vulnerability VCID-7b71-dsva-cfan
11
vulnerability VCID-ccwe-z8nr-3qhq
12
vulnerability VCID-ch5h-xzgt-6kgs
13
vulnerability VCID-efkn-13cf-97c3
14
vulnerability VCID-ejv9-c3hf-jfax
15
vulnerability VCID-g17s-3ghd-5fhm
16
vulnerability VCID-j9n2-1u2k-ckc5
17
vulnerability VCID-jxub-yja7-2qhf
18
vulnerability VCID-jy6d-5zfh-7ycp
19
vulnerability VCID-m28c-yq43-a7cq
20
vulnerability VCID-mfvj-g7bk-h3hw
21
vulnerability VCID-n648-rgev-bydr
22
vulnerability VCID-ntx4-ssgk-jqgh
23
vulnerability VCID-pggs-g9c8-w7d1
24
vulnerability VCID-q1jg-5qq3-zkbv
25
vulnerability VCID-rhm7-ju23-yuby
26
vulnerability VCID-rnze-pnhe-abh4
27
vulnerability VCID-rrce-ncgp-qbcg
28
vulnerability VCID-s9mh-xu8b-fqgf
29
vulnerability VCID-t5h6-xvev-f3g7
30
vulnerability VCID-tshq-ktbd-juak
31
vulnerability VCID-ttgr-49ur-z7aa
32
vulnerability VCID-u3cv-q3ft-qkhj
33
vulnerability VCID-ukq9-ggdc-byf5
34
vulnerability VCID-uzyt-dujv-nqh6
35
vulnerability VCID-vg28-8erb-27ae
36
vulnerability VCID-vknb-zmk9-z3cc
37
vulnerability VCID-w35e-5gaq-y3aw
38
vulnerability VCID-w9cn-xgye-jber
39
vulnerability VCID-whnf-tybt-qqbf
40
vulnerability VCID-wj8y-tapy-p3f1
41
vulnerability VCID-wx6u-ss6p-3ue3
42
vulnerability VCID-xpq3-v9ts-x7es
43
vulnerability VCID-xysn-pqxv-hyds
44
vulnerability VCID-zebb-ngev-a7de
45
vulnerability VCID-zh94-u2by-xkg5
46
vulnerability VCID-zybg-fqev-eber
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.0.0-RC1
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-28783
reference_id
reference_type
scores
0
value 0.00036
scoring_system epss
scoring_elements 0.11162
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-28783
1
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/craftcms/cms
2
reference_url https://github.com/craftcms/cms/pull/18208
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/
url https://github.com/craftcms/cms/pull/18208
3
reference_url https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28783
reference_id CVE-2026-28783
reference_type
scores
0
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-28783
5
reference_url https://github.com/advisories/GHSA-5fvc-7894-ghp4
reference_id GHSA-5fvc-7894-ghp4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5fvc-7894-ghp4
6
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4
reference_id GHSA-5fvc-7894-ghp4
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
2
value 9.4
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T17:33:33Z/
url https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4
Weaknesses
0
cwe_id 1336
name Improper Neutralization of Special Elements Used in a Template Engine
description The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
1
cwe_id 184
name Incomplete List of Disallowed Inputs
description The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.
2
cwe_id 94
name Improper Control of Generation of Code ('Code Injection')
description The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
3
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
4
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score4.0 - 9.4
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-ejv9-c3hf-jfax