Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-vasz-rnn1-67ev
Summary
Craft CMS has Twig Function Blocklist Bypass
Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions.

In order to be able to successfully execute this attack, you need to either have `allowAdminChanges` enabled on production, or a compromised admin account, or an account with access to the System Messages utility.

Several PHP functions are not included in the blocklist, which could allow malicious actors with the required permissions to execute various types of payloads, including RCEs, arbitrary file reads, SSRFs, and SSTIs.

Twig has already deprecated this behavior, and it will eventually be removed from Twig altogether.

https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096

This has been resolved in Craft 4.17.0 and 5.9.0, which removes the blocklist and disables all non-Clousure arrow functions in Twig globally via the `enableTwigSandbox` config setting. That setting is enabled by default on all new Craft projects. Existing Craft projects will need to enable the config setting to take advantage of it.

Existing projects should update to the patched versions of 5.9.0 and 4.17.0 to mitigate the issue and enable the config setting.
Aliases
0
alias CVE-2026-28783
1
alias GHSA-5fvc-7894-ghp4
Fixed_packages
0
url pkg:composer/craftcms/cms@4.17.0-beta.1
purl pkg:composer/craftcms/cms@4.17.0-beta.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.17.0-beta.1
1
url pkg:composer/craftcms/cms@5.9.0-beta.1
purl pkg:composer/craftcms/cms@5.9.0-beta.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.9.0-beta.1
Affected_packages
0
url pkg:composer/craftcms/cms@4.0.0-RC1
purl pkg:composer/craftcms/cms@4.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-2vn9-2cs3-vbg3
3
vulnerability VCID-7y4f-ef7t-47eb
4
vulnerability VCID-8u2j-17a4-q7eh
5
vulnerability VCID-9enr-b6zd-mbh8
6
vulnerability VCID-akrv-yqnf-1kg8
7
vulnerability VCID-azr5-12f8-hfbm
8
vulnerability VCID-cys8-jnmu-77ec
9
vulnerability VCID-ec34-nvn3-qbcb
10
vulnerability VCID-f7gc-cgka-tycr
11
vulnerability VCID-hyct-5gap-7kdu
12
vulnerability VCID-jeyh-3jxd-z3g6
13
vulnerability VCID-jhen-vhqx-n7dr
14
vulnerability VCID-jxz8-g6fq-dubw
15
vulnerability VCID-kbrc-85av-nfcn
16
vulnerability VCID-m5rf-usae-yfb7
17
vulnerability VCID-ppet-ruae-1kav
18
vulnerability VCID-qwmy-d2e8-5khw
19
vulnerability VCID-qywv-vf4r-8bh9
20
vulnerability VCID-twuy-wzb7-k7g3
21
vulnerability VCID-vasz-rnn1-67ev
22
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.0.0-RC1
1
url pkg:composer/craftcms/cms@5.0.0-RC1
purl pkg:composer/craftcms/cms@5.0.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1468-4fdx-kbfr
1
vulnerability VCID-1mb5-28xp-ckd2
2
vulnerability VCID-39ct-cg7w-kyb6
3
vulnerability VCID-4wkr-jx1w-77hn
4
vulnerability VCID-5mnd-qvaq-k3am
5
vulnerability VCID-5q5g-jrxm-eyhe
6
vulnerability VCID-7y4f-ef7t-47eb
7
vulnerability VCID-8u2j-17a4-q7eh
8
vulnerability VCID-9enr-b6zd-mbh8
9
vulnerability VCID-a3b5-pwyh-yugv
10
vulnerability VCID-akrv-yqnf-1kg8
11
vulnerability VCID-azr5-12f8-hfbm
12
vulnerability VCID-cys8-jnmu-77ec
13
vulnerability VCID-esma-wxje-eqh3
14
vulnerability VCID-fpea-e48p-kfbn
15
vulnerability VCID-hkp9-3hzv-quhk
16
vulnerability VCID-hyct-5gap-7kdu
17
vulnerability VCID-jeyh-3jxd-z3g6
18
vulnerability VCID-jxz8-g6fq-dubw
19
vulnerability VCID-kbrc-85av-nfcn
20
vulnerability VCID-m5rf-usae-yfb7
21
vulnerability VCID-pgm4-svq8-tfc5
22
vulnerability VCID-ppet-ruae-1kav
23
vulnerability VCID-qywv-vf4r-8bh9
24
vulnerability VCID-rb7c-3nkc-gkeg
25
vulnerability VCID-twuy-wzb7-k7g3
26
vulnerability VCID-vasz-rnn1-67ev
27
vulnerability VCID-vvhc-rnpr-ubey
28
vulnerability VCID-w9yn-1573-hyau
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.0.0-RC1
References
0
reference_url https://github.com/craftcms/cms
reference_id
reference_type
scores
url https://github.com/craftcms/cms
1
reference_url https://github.com/craftcms/cms/pull/18208
reference_id
reference_type
scores
url https://github.com/craftcms/cms/pull/18208
2
reference_url https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096
reference_id
reference_type
scores
url https://github.com/twigphp/Twig/blob/946ddeafa3c9f4ce279d1f34051af041db0e16f2/src/Extension/CoreExtension.php#L2096
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-28783
reference_id CVE-2026-28783
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-28783
4
reference_url https://github.com/advisories/GHSA-5fvc-7894-ghp4
reference_id GHSA-5fvc-7894-ghp4
reference_type
scores
url https://github.com/advisories/GHSA-5fvc-7894-ghp4
5
reference_url https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4
reference_id GHSA-5fvc-7894-ghp4
reference_type
scores
url https://github.com/craftcms/cms/security/advisories/GHSA-5fvc-7894-ghp4
Weaknesses
0
cwe_id 1336
name Improper Neutralization of Special Elements Used in a Template Engine
description The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
1
cwe_id 184
name Incomplete List of Disallowed Inputs
description The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses.
2
cwe_id 94
name Improper Control of Generation of Code ('Code Injection')
description The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
3
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
4
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-vasz-rnn1-67ev