Intel

AIKIDO-2026-582447

silverstripe/framework is vulnerable to Remote Code Execution (RCE)

Remote Code Execution (RCE) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

72

High Risk

This Affects:

PHPsilverstripe/framework
3.0.0 - 5.4.29
Fixed in 5.4.30
Are you affected? Scan for Free

TL;DR

The silverstripe/framework template compiler emits the default and context strings of a <%t %> translation block directly into the generated PHP template. Before the fix, SSTemplateParser pasted these author-controlled strings in verbatim as double-quoted literals, so a string containing PHP interpolation such as {${'shell_exec'('id')}} was evaluated when the compiled template ran. This allows arbitrary PHP to execute on the server wherever an attacker can influence a translation default or context string. The fix re-emits the value as a single-quoted PHP literal so it is treated as inert text.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your project renders <%t %> translation default or context strings that can contain attacker-influenced content.

Background info

silverstripe/framework is vulnerable to Remote Code Execution (RCE) in versions 3.0.0 - 5.4.29.

How to fix this

Upgrade the silverstripe/framework library to the patch version.