[MEDIUM] Craft CMS has potential authenticated Remote Code Execution via Twig SSTI

PKSA-q22m-n7fg-cqgy CVE-2026-28784 GHSA-qc86-q28f-ggww

Affected package: craftcms/cms

Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.0.0-RC1,<5.9.0-beta.1

Reported by:
GitHub