CVE Catalog

CVE-2026-55792

MediumCVSS 6.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

A vulnerability in Craft CMS allows users with system email template editing permissions to read server files, including the .env file containing passwords and API keys. An attacker can escalate to full admin account takeover by forging session tokens.

Risk Assessment

The risk involves exposure of sensitive data (database passwords, API keys) and potential full admin account takeover, leading to complete compromise of the CMS system.

Recommendation

Immediately upgrade Craft CMS to version 4.18.0 or 5.10.0, which fix the issue by removing the dataUrl() function from the Twig sandbox allowlist.

Original NVD description (English source)

Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its contents as a base64-encoded data URL embedded in the email body. The .env file, which typically contains the database password, CRAFT_SECURITY_KEY, and third-party API keys, passes all of Craft’s existing dataUrl() protection checks and is fully exfiltrated. Obtaining CRAFT_SECURITY_KEY enables an attacker to forge session tokens and escalate to full admin account takeover. This issue has been fixed in versions 4.18.0 and 5.10.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS