GHSA-287w-mxq6-x2cp: Craft CMS: Sensitive File Disclosure / Server-Side File Read
The dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its contents as a base64-encoded data URL embedded in the email body. The .env file, which typically contains the database password, CRAFT_SECURITY_KEY, and third-party API keys, passes all of Craft’s existing dataUrl() protection checks and is fully exfiltrated. Obtaining CRAFT_SECURITY_KEY enables an attacker to forge session tokens and escalate to full admin account takeover.
Details
Affected versions: Craft CMS 4.x, 5.x (confirmed against 5.9.19)
The vulnerability arises from the combination of three code facts:
1. dataUrl is in the Twig sandbox allowlist
src/config/twig-sandbox.php, line 115:
php'allowedFunctions' => [
...
'dataUrl', // ← allows file reading inside sandboxed templates
...
],
2. Html::dataUrl() does not block dotfiles
src/helpers/Html.php, lines 1065–1090. The function applies four checks before reading a file:
Must be within the project root .env is at the root
Must not be in a system directory (config/, vendor/, storage/, templates/) .env is not
Must not be a .php file .env has no extension
File must exist .env always exists in a Craft install
There is no check for dotfiles or specifically for .env. All four checks pass silently and file_get_contents() is called, with the result returned as data:text/plain;base64,....
3. System message body is rendered via renderSandboxedString()
src/mail/Mailer.php, lines 181–183:
php$subject = $view->renderSandboxedString($systemMessage->subject, $variables);
$textBody = $view->renderSandboxedString($systemMessage->body, $variables);
$htmlBody = $view->renderSandboxedString($systemMessage->body, $variables, escapeHtml: true);
Any body content saved to a system message is executed inside the Twig sandbox when the email
Details
Original advisory: https://github.com/advisories/GHSA-287w-mxq6-x2cp
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-557920.27% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 18% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55792 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10