[MEDIUM] Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget

PKSA-n7dz-mnbq-y23y CVE-2026-28695 GHSA-94rc-cqvm-m4pw

Affected package: craftcms/cms

Affected version: >=4.0.0-RC1,<4.17.0-beta.1|>=5.8.7,<5.9.0-beta.1

Reported by:
GitHub