Improper access control in Craft CMS - #VU134677
Published: June 16, 2026
Vulnerability identifier: #VU134677
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pixel & Tonic, Inc.
Affected software:
Craft CMS
Craft CMS
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the system email template rendering functionality when rendering sandboxed system message templates containing the dataUrl() Twig function. A remote user can embed a file-reading payload into a system email template to disclose sensitive information.
Exploitation requires the utility:system-messages permission and configured email sending. The issue can expose the .env file contents, including secrets that may enable subsequent admin account takeover.
Remediation
Install security update from vendor's website.