<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Fri, 10 Jul 2026 03:03:39 +0000</lastBuildDate>
    <item>
      <title>27c0c4b3-a0b0-4a5d-bc5d-d8c491b7c1e2</title>
      <link>https://vulnerability.circl.lu/sighting/27c0c4b3-a0b0-4a5d-bc5d-d8c491b7c1e2/export</link>
      <description>{"uuid": "27c0c4b3-a0b0-4a5d-bc5d-d8c491b7c1e2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55794", "type": "seen", "source": "https://gist.github.com/alon710/8f065297b373724c4dd370345047c8bb", "content": "# CVE-2026-55794: CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS\n\n&amp;gt; **CVSS Score:** 8.7\n&amp;gt; **Published:** 2026-07-06\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-55794\n\n## Summary\nCraft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.\n\n## TL;DR\nAn authenticated remote code execution vulnerability in Craft CMS allows users with entry editing permissions to execute arbitrary system commands by injecting Twig template payloads into the HTTP Referer header during post-save redirects.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-1336 / CWE-94\n- **Attack Vector**: Network (Authenticated)\n- **CVSS Score**: 8.7 (High)\n- **EPSS Score**: 0.00293 (Percentile: 21.12%)\n- **Impact**: Full Unsandboxed Remote Code Execution (RCE)\n- **Exploit Status**: PoC / Highly Exploitable\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Craft CMS\n- **Craft CMS**: &amp;gt;= 5.9.0, &amp;lt; 5.10.0 (Fixed in: `5.10.0`)\n\n## Mitigation\n\n- Upgrade Craft CMS instances to version 5.10.0 or higher.\n- Implement Web Application Firewall (WAF) rules to inspect and sanitize the Referer HTTP header on control panel endpoints.\n- Deploy intrusion detection rules to flag anomalous characters like curly braces in HTTP Referer headers targeting elements/save-entry actions.\n\n**Remediation Steps:**\n1. Run 'composer update craftcms/cms' to update the application to version 5.10.0 or newer.\n2. Verify the update by checking that the returnUrl parameter contains cryptographically signed hashes in control panel links.\n3. Perform a log audit on web server access logs for historic POST requests containing Twig patterns in the Referer header.\n\n## References\n\n- [Craft CMS Security Advisory GHSA-f74w-488g-8x5r](https://github.com/craftcms/cms/security/advisories/GHSA-f74w-488g-8x5r)\n- [Craft CMS Pull Request #18680](https://github.com/craftcms/cms/pull/18680)\n- [CVE-2026-55794 Official CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-55794)\n- [NVD Vulnerability Page for CVE-2026-55794](https://nvd.nist.gov/vuln/detail/CVE-2026-55794)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-55794) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-07T01:11:51.176512Z"}</description>
      <content:encoded>{"uuid": "27c0c4b3-a0b0-4a5d-bc5d-d8c491b7c1e2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55794", "type": "seen", "source": "https://gist.github.com/alon710/8f065297b373724c4dd370345047c8bb", "content": "# CVE-2026-55794: CVE-2026-55794: Authenticated Remote Code Execution via Template Injection in Craft CMS\n\n&amp;gt; **CVSS Score:** 8.7\n&amp;gt; **Published:** 2026-07-06\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-55794\n\n## Summary\nCraft CMS versions 5.9.0 through 5.9.9 are vulnerable to authenticated Remote Code Execution (RCE). An attacker with control panel permissions to edit entries can inject malicious Twig templates into the client-side HTTP Referer header. During the post-save redirect sequence, the server evaluates this user-controlled header using an unsandboxed Twig rendering function, leading to arbitrary system command execution.\n\n## TL;DR\nAn authenticated remote code execution vulnerability in Craft CMS allows users with entry editing permissions to execute arbitrary system commands by injecting Twig template payloads into the HTTP Referer header during post-save redirects.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-1336 / CWE-94\n- **Attack Vector**: Network (Authenticated)\n- **CVSS Score**: 8.7 (High)\n- **EPSS Score**: 0.00293 (Percentile: 21.12%)\n- **Impact**: Full Unsandboxed Remote Code Execution (RCE)\n- **Exploit Status**: PoC / Highly Exploitable\n- **KEV Status**: Not listed\n\n## Affected Systems\n\n- Craft CMS\n- **Craft CMS**: &amp;gt;= 5.9.0, &amp;lt; 5.10.0 (Fixed in: `5.10.0`)\n\n## Mitigation\n\n- Upgrade Craft CMS instances to version 5.10.0 or higher.\n- Implement Web Application Firewall (WAF) rules to inspect and sanitize the Referer HTTP header on control panel endpoints.\n- Deploy intrusion detection rules to flag anomalous characters like curly braces in HTTP Referer headers targeting elements/save-entry actions.\n\n**Remediation Steps:**\n1. Run 'composer update craftcms/cms' to update the application to version 5.10.0 or newer.\n2. Verify the update by checking that the returnUrl parameter contains cryptographically signed hashes in control panel links.\n3. Perform a log audit on web server access logs for historic POST requests containing Twig patterns in the Referer header.\n\n## References\n\n- [Craft CMS Security Advisory GHSA-f74w-488g-8x5r](https://github.com/craftcms/cms/security/advisories/GHSA-f74w-488g-8x5r)\n- [Craft CMS Pull Request #18680](https://github.com/craftcms/cms/pull/18680)\n- [CVE-2026-55794 Official CVE Record](https://www.cve.org/CVERecord?id=CVE-2026-55794)\n- [NVD Vulnerability Page for CVE-2026-55794](https://nvd.nist.gov/vuln/detail/CVE-2026-55794)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-55794) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-07T01:11:51.176512Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/27c0c4b3-a0b0-4a5d-bc5d-d8c491b7c1e2/export</guid>
      <pubDate>Tue, 07 Jul 2026 01:11:51 +0000</pubDate>
    </item>
    <item>
      <title>f73716ce-d4a2-4b40-9e04-68b1f3478603</title>
      <link>https://vulnerability.circl.lu/sighting/f73716ce-d4a2-4b40-9e04-68b1f3478603/export</link>
      <description>{"uuid": "f73716ce-d4a2-4b40-9e04-68b1f3478603", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55794", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mpz5fz56bt2l", "content": "CVE-2026-55794 - cms\nCraft CMS versions 5.9.0 to 5.10.0 are vulnerable to a security risk where attackers can execute malicious code on a website. This can happen when a user saves entries, allowing\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#cms #craftcms #composer #CVE #infosec", "creation_timestamp": "2026-07-06T22:32:04.311681Z"}</description>
      <content:encoded>{"uuid": "f73716ce-d4a2-4b40-9e04-68b1f3478603", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55794", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mpz5fz56bt2l", "content": "CVE-2026-55794 - cms\nCraft CMS versions 5.9.0 to 5.10.0 are vulnerable to a security risk where attackers can execute malicious code on a website. This can happen when a user saves entries, allowing\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#cms #craftcms #composer #CVE #infosec", "creation_timestamp": "2026-07-06T22:32:04.311681Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/f73716ce-d4a2-4b40-9e04-68b1f3478603/export</guid>
      <pubDate>Mon, 06 Jul 2026 22:32:04 +0000</pubDate>
    </item>
    <item>
      <title>bd8b036e-e6bd-444c-a601-f7ece15d1026</title>
      <link>https://vulnerability.circl.lu/sighting/bd8b036e-e6bd-444c-a601-f7ece15d1026/export</link>
      <description>{"uuid": "bd8b036e-e6bd-444c-a601-f7ece15d1026", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55794", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpohgzzjzh2n", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-55794 \u0432 Craft CMS: \u0443\u0433\u0440\u043e\u0437\u044b, \u043f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/FC4B658E-B962-44D6-81BB-CCDDB3ADEA54", "creation_timestamp": "2026-07-02T16:32:18.926970Z"}</description>
      <content:encoded>{"uuid": "bd8b036e-e6bd-444c-a601-f7ece15d1026", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55794", "type": "seen", "source": "https://bsky.app/profile/kriptabiz.bsky.social/post/3mpohgzzjzh2n", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c CVE-2026-55794 \u0432 Craft CMS: \u0443\u0433\u0440\u043e\u0437\u044b, \u043f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u044b \u0437\u0430\u0449\u0438\u0442\u044b\n\n\n\nhttps://kripta.biz/posts/FC4B658E-B962-44D6-81BB-CCDDB3ADEA54", "creation_timestamp": "2026-07-02T16:32:18.926970Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/bd8b036e-e6bd-444c-a601-f7ece15d1026/export</guid>
      <pubDate>Thu, 02 Jul 2026 16:32:18 +0000</pubDate>
    </item>
    <item>
      <title>99fe4b1e-e4ff-443e-b77a-09285c3094ca</title>
      <link>https://vulnerability.circl.lu/sighting/99fe4b1e-e4ff-443e-b77a-09285c3094ca/export</link>
      <description>{"uuid": "99fe4b1e-e4ff-443e-b77a-09285c3094ca", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55794", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mpmr7z6ifr2m", "content": "CVE-2026-55794 - Craft CMS: Potential authenticated Remote Code Execution via referrer redirect\nCVE ID : CVE-2026-55794\n \n Published : July 1, 2026, 11:26 p.m. | 20\u00a0minutes ago\n \n Description : Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior t...", "creation_timestamp": "2026-07-02T00:22:01.235267Z"}</description>
      <content:encoded>{"uuid": "99fe4b1e-e4ff-443e-b77a-09285c3094ca", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-55794", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mpmr7z6ifr2m", "content": "CVE-2026-55794 - Craft CMS: Potential authenticated Remote Code Execution via referrer redirect\nCVE ID : CVE-2026-55794\n \n Published : July 1, 2026, 11:26 p.m. | 20\u00a0minutes ago\n \n Description : Craft CMS is a content management system (CMS). In versions 5.9.0 and above prior t...", "creation_timestamp": "2026-07-02T00:22:01.235267Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/99fe4b1e-e4ff-443e-b77a-09285c3094ca/export</guid>
      <pubDate>Thu, 02 Jul 2026 00:22:01 +0000</pubDate>
    </item>
  </channel>
</rss>
