AIKIDO-2026-10231
craftcms/webhooks is vulnerable to Remoto Code Execution (RCE)
80
High Risk
This Affects:
craftcms/webhooksTL;DR
Affected versions of this package render webhook payload, header, URL, and debounce key templates using Twig without sandbox enforcement, allowing untrusted template input to execute on the server. Because renderString() processes attacker-controlled template content (e.g., from a compromised admin panel or stored configuration), malicious Twig expressions can invoke arbitrary PHP methods or access sensitive objects. An attacker could inject crafted Twig payloads into the webhook template fields to achieve Remote Code Execution (RCE), exfiltrate secrets, or pivot within the hosting environment. The issue was mitigated by enabling TwigSandbox, which isolates template execution and restricts access to dangerous functions and objects.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
craftcms/webhooks is vulnerable to Remoto Code Execution (RCE) in versions 0.1.0 - 3.1.1.
How to fix this
Upgrade the craftcms/webhooks library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant