Search criteria
186 vulnerabilities found for craft_cms by craftcms
CVE-2025-68456 (GCVE-0-2025-68456)
Vulnerability from nvd – Published: 2026-01-05 22:03 – Updated: 2026-01-06 19:03
VLAI?
Title
Unauthenticated Craft CMS users can trigger a database backup
Summary
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68456",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:26:08.082464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T19:03:45.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.21"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T22:03:11.155Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr"
},
{
"name": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39"
},
{
"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
}
],
"source": {
"advisory": "GHSA-v64r-7wg9-23pr",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Craft CMS users can trigger a database backup"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68456",
"datePublished": "2026-01-05T22:03:11.155Z",
"dateReserved": "2025-12-17T20:22:35.081Z",
"dateUpdated": "2026-01-06T19:03:45.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68437 (GCVE-0-2025-68437)
Vulnerability from nvd – Published: 2026-01-05 21:52 – Updated: 2026-01-06 19:04
VLAI?
Title
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
Summary
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68437",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:27:06.601960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T19:04:50.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.21"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_\u003cVolumeName\u003e_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:52:29.436Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"
},
{
"name": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52"
},
{
"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
}
],
"source": {
"advisory": "GHSA-x27p-wfqw-hfcc",
"discovery": "UNKNOWN"
},
"title": "Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68437",
"datePublished": "2026-01-05T21:52:29.436Z",
"dateReserved": "2025-12-17T15:43:01.352Z",
"dateUpdated": "2026-01-06T19:04:50.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68436 (GCVE-0-2025-68436)
Vulnerability from nvd – Published: 2026-01-05 21:46 – Updated: 2026-01-06 17:38
VLAI?
Title
Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
Summary
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68436",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T15:35:10.723730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T17:38:37.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.21"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:46:01.734Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9"
},
{
"name": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9"
}
],
"source": {
"advisory": "GHSA-53vf-c43h-j2x9",
"discovery": "UNKNOWN"
},
"title": "Craft CMS vulnerable to potential information disclosure via unchecked asset relocation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68436",
"datePublished": "2026-01-05T21:46:01.734Z",
"dateReserved": "2025-12-17T15:43:01.352Z",
"dateUpdated": "2026-01-06T17:38:37.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68454 (GCVE-0-2025-68454)
Vulnerability from nvd – Published: 2026-01-05 21:56 – Updated: 2026-01-06 19:04
VLAI?
Title
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
Summary
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Severity ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:26:38.362016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T19:04:27.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.21"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS\u0027 recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:56:00.892Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383"
},
{
"name": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe"
},
{
"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
}
],
"source": {
"advisory": "GHSA-742x-x762-7383",
"discovery": "UNKNOWN"
},
"title": "Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68454",
"datePublished": "2026-01-05T21:56:00.892Z",
"dateReserved": "2025-12-17T20:22:35.081Z",
"dateUpdated": "2026-01-06T19:04:27.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68455 (GCVE-0-2025-68455)
Vulnerability from nvd – Published: 2026-01-05 21:59 – Updated: 2026-01-06 19:04
VLAI?
Title
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Summary
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Severity ?
CWE
- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68455",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:26:28.391418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T19:04:15.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.21"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:59:00.997Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"
},
{
"name": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7"
},
{
"name": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef"
},
{
"name": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593"
},
{
"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
}
],
"source": {
"advisory": "GHSA-255j-qw47-wjh5",
"discovery": "UNKNOWN"
},
"title": "Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68455",
"datePublished": "2026-01-05T21:59:00.997Z",
"dateReserved": "2025-12-17T20:22:35.081Z",
"dateUpdated": "2026-01-06T19:04:15.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-57811 (GCVE-0-2025-57811)
Vulnerability from nvd – Published: 2025-08-25 17:52 – Updated: 2025-08-25 18:05
VLAI?
Title
Craft Potential Remote Code Execution via Twig SSTI
Summary
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
Severity ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-25T18:05:02.078269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T18:05:18.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.16.6"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T17:52:07.786Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc"
},
{
"name": "https://github.com/craftcms/cms/pull/17612",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/pull/17612"
},
{
"name": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc"
}
],
"source": {
"advisory": "GHSA-crcq-738g-pqvc",
"discovery": "UNKNOWN"
},
"title": "Craft Potential Remote Code Execution via Twig SSTI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57811",
"datePublished": "2025-08-25T17:52:07.786Z",
"dateReserved": "2025-08-20T14:30:35.010Z",
"dateUpdated": "2025-08-25T18:05:18.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54417 (GCVE-0-2025-54417)
Vulnerability from nvd – Published: 2025-08-09 01:31 – Updated: 2025-08-11 13:38
VLAI?
Title
Craft contains a theoretical bypass for CVE-2025-23209
Summary
Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54417",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T13:38:12.800909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T13:38:51.609Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.13.8, \u003c 4.16.3"
},
{
"status": "affected",
"version": "\u003e= 5.5.8, \u003c 5.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: \"Craft CMS has a potential RCE with a compromised security key\". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft\u0027s /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-09T01:31:23.974Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw"
},
{
"name": "https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57"
}
],
"source": {
"advisory": "GHSA-2vcf-qxv3-2mgw",
"discovery": "UNKNOWN"
},
"title": "Craft contains a theoretical bypass for CVE-2025-23209"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54417",
"datePublished": "2025-08-09T01:31:23.974Z",
"dateReserved": "2025-07-21T23:18:10.281Z",
"dateUpdated": "2025-08-11T13:38:51.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-35939 (GCVE-0-2025-35939)
Vulnerability from nvd – Published: 2025-05-07 22:41 – Updated: 2025-10-21 22:55
VLAI?
Title
Craft CMS stores user-provided content in session files
Summary
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.
Severity ?
5.3 (Medium)
CWE
- CWE-472 - External Control of Assumed-Immutable Web Parameter
Assigner
References
Impacted products
Credits
Joel Land, undefined
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-35939",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T03:55:25.568262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-06-02",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:16.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-02T00:00:00+00:00",
"value": "CVE-2025-35939 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "CMS",
"vendor": "Craft",
"versions": [
{
"lessThan": "5.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "5.7.5"
},
{
"lessThan": "4.15.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.15.3"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Joel Land, undefined"
}
],
"datePublic": "2025-05-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at \u0027/var/lib/php/sessions\u0027. Such session files are named \u0027sess_[session_value]\u0027, where \u0027[session_value]\u0027 is provided to the client in a \u0027Set-Cookie\u0027 response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
},
{
"other": {
"content": {
"id": "CVE-2025-35939",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T22:40:17.180919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-472",
"description": "CWE-472 External Control of Assumed-Immutable Web Parameter",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T20:47:41.106Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"url": "https://github.com/craftcms/cms/pull/17220"
},
{
"name": "url",
"url": "https://github.com/craftcms/cms/releases/tag/4.15.3"
},
{
"name": "url",
"url": "https://github.com/craftcms/cms/releases/tag/5.7.5"
},
{
"name": "url",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35939"
},
{
"name": "url",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json"
}
],
"title": "Craft CMS stores user-provided content in session files"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2025-35939",
"datePublished": "2025-05-07T22:41:29.728Z",
"dateReserved": "2025-04-15T20:57:14.329Z",
"dateUpdated": "2025-10-21T22:55:16.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46731 (GCVE-0-2025-46731)
Vulnerability from nvd – Published: 2025-05-05 19:35 – Updated: 2025-05-05 20:03
VLAI?
Title
Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
Summary
Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.
Severity ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46731",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T20:03:33.766996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T20:03:42.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.14.13"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.6.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T19:35:31.347Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38"
},
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"
},
{
"name": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production",
"tags": [
"x_refsource_MISC"
],
"url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"
},
{
"name": "http://github.com/craftcms/cms/pull/17026",
"tags": [
"x_refsource_MISC"
],
"url": "http://github.com/craftcms/cms/pull/17026"
}
],
"source": {
"advisory": "GHSA-7c58-g782-9j38",
"discovery": "UNKNOWN"
},
"title": "Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46731",
"datePublished": "2025-05-05T19:35:31.347Z",
"dateReserved": "2025-04-28T20:56:09.085Z",
"dateUpdated": "2025-05-05T20:03:42.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32432 (GCVE-0-2025-32432)
Vulnerability from nvd – Published: 2025-04-25 15:04 – Updated: 2025-04-29 03:55
VLAI?
Title
Craft CMS Allows Remote Code Execution
Summary
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
Severity ?
10 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T03:55:14.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-RC1, \u003c 3.9.15"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.14.15"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.6.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T15:04:06.272Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3"
},
{
"name": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47"
},
{
"name": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical"
},
{
"name": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical"
},
{
"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical"
}
],
"source": {
"advisory": "GHSA-f3gw-9ww9-jmc3",
"discovery": "UNKNOWN"
},
"title": "Craft CMS Allows Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32432",
"datePublished": "2025-04-25T15:04:06.272Z",
"dateReserved": "2025-04-08T10:54:58.368Z",
"dateUpdated": "2025-04-29T03:55:14.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2025-68436
Vulnerability from fkie_nvd - Published: 2026-01-05 22:15 - Updated: 2026-01-12 18:29
Severity ?
Summary
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5775BAC6-95FD-41E2-85CD-06A82F00B972",
"versionEndExcluding": "4.16.17",
"versionStartIncluding": "4.0.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD1EB061-284A-4708-BC67-DE02EF7A5E79",
"versionEndExcluding": "5.8.21",
"versionStartIncluding": "5.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."
}
],
"id": "CVE-2025-68436",
"lastModified": "2026-01-12T18:29:17.930",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-05T22:15:52.117",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-68455
Vulnerability from fkie_nvd - Published: 2026-01-05 22:15 - Updated: 2026-01-12 18:21
Severity ?
Summary
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5775BAC6-95FD-41E2-85CD-06A82F00B972",
"versionEndExcluding": "4.16.17",
"versionStartIncluding": "4.0.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD1EB061-284A-4708-BC67-DE02EF7A5E79",
"versionEndExcluding": "5.8.21",
"versionStartIncluding": "5.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."
}
],
"id": "CVE-2025-68455",
"lastModified": "2026-01-12T18:21:12.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-05T22:15:52.593",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-470"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-68454
Vulnerability from fkie_nvd - Published: 2026-01-05 22:15 - Updated: 2026-01-12 18:23
Severity ?
Summary
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5775BAC6-95FD-41E2-85CD-06A82F00B972",
"versionEndExcluding": "4.16.17",
"versionStartIncluding": "4.0.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD1EB061-284A-4708-BC67-DE02EF7A5E79",
"versionEndExcluding": "5.8.21",
"versionStartIncluding": "5.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS\u0027 recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."
}
],
"id": "CVE-2025-68454",
"lastModified": "2026-01-12T18:23:45.727",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-05T22:15:52.457",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1336"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-68437
Vulnerability from fkie_nvd - Published: 2026-01-05 22:15 - Updated: 2026-01-12 18:28
Severity ?
Summary
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D8B720B-DA3A-423F-ABFF-0A3A0CF4EEFC",
"versionEndExcluding": "4.16.17",
"versionStartIncluding": "3.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD1EB061-284A-4708-BC67-DE02EF7A5E79",
"versionEndExcluding": "5.8.21",
"versionStartIncluding": "5.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_\u003cVolumeName\u003e_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue."
}
],
"id": "CVE-2025-68437",
"lastModified": "2026-01-12T18:28:14.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-05T22:15:52.283",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-68456
Vulnerability from fkie_nvd - Published: 2026-01-05 22:15 - Updated: 2026-01-12 18:19
Severity ?
Summary
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "269DCC5B-520D-4FA8-9D7B-3984EE16D5C8",
"versionEndExcluding": "4.16.17",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD1EB061-284A-4708-BC67-DE02EF7A5E79",
"versionEndExcluding": "5.8.21",
"versionStartIncluding": "5.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes."
}
],
"id": "CVE-2025-68456",
"lastModified": "2026-01-12T18:19:38.220",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-05T22:15:52.727",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-202"
},
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-57811
Vulnerability from fkie_nvd - Published: 2025-08-25 18:15 - Updated: 2025-09-03 17:43
Severity ?
Summary
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0844A137-B301-4C69-8759-910C92CDAF7B",
"versionEndExcluding": "4.16.6",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "092A71E9-0519-4787-9656-7B3219295F09",
"versionEndExcluding": "5.8.7",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7."
},
{
"lang": "es",
"value": "Craft es una plataforma para crear experiencias digitales. De las versiones 4.0.0-RC1 a 4.16.5 y de 5.0.0-RC1 a 5.8.6, existe una posible vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo mediante Twig SSTI (inyecci\u00f3n de plantilla del lado del servidor). Esta vulnerabilidad es posterior a CVE-2024-52293. Esta vulnerabilidad se ha corregido en las versiones 4.16.6 y 5.8.7."
}
],
"id": "CVE-2025-57811",
"lastModified": "2025-09-03T17:43:47.143",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-25T18:15:31.097",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/pull/17612"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1336"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-54417
Vulnerability from fkie_nvd - Published: 2025-08-09 02:15 - Updated: 2025-09-02 19:23
Severity ?
Summary
Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "107F66D9-25CF-45BA-9CC2-DB97EEA12539",
"versionEndExcluding": "4.16.3",
"versionStartIncluding": "4.13.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8BE5E5F1-3D64-4E0D-9AF5-369C5E2676AE",
"versionEndExcluding": "5.8.4",
"versionStartIncluding": "5.5.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: \"Craft CMS has a potential RCE with a compromised security key\". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft\u0027s /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4."
},
{
"lang": "es",
"value": "Craft es una plataforma para crear experiencias digitales. Las versiones 4.13.8 a 4.16.2 y 5.5.8 a 5.8.3 contienen una vulnerabilidad que puede eludir la CVE-2025-23209: \"Craft CMS tiene un posible RCE con una clave de seguridad comprometida\". Para explotar esta vulnerabilidad, el proyecto debe cumplir estos requisitos: tener una clave de seguridad comprometida y crear un archivo arbitrario en la carpeta /storage/backups de Craft. Con estos criterios, los atacantes podr\u00edan crear una solicitud maliciosa espec\u00edfica al endpoint /updater/restore-db y ejecutar comandos CLI de forma remota. Este problema se ha corregido en las versiones 4.16.3 y 5.8.4."
}
],
"id": "CVE-2025-54417",
"lastModified": "2025-09-02T19:23:07.853",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-09T02:15:37.550",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-35939
Vulnerability from fkie_nvd - Published: 2025-05-07 23:15 - Updated: 2025-10-24 13:45
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.
References
{
"cisaActionDue": "2025-06-23",
"cisaExploitAdd": "2025-06-02",
"cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8C8B256D-000B-4588-8182-CEC2ACC076EB",
"versionEndExcluding": "4.15.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "61BCA33B-AEA5-45AA-A757-9348C48A4728",
"versionEndExcluding": "5.7.5",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at \u0027/var/lib/php/sessions\u0027. Such session files are named \u0027sess_[session_value]\u0027, where \u0027[session_value]\u0027 is provided to the client in a \u0027Set-Cookie\u0027 response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue."
},
{
"lang": "es",
"value": "Craft CMS almacena contenido arbitrario proporcionado por usuarios no autenticados en archivos de sesi\u00f3n. Este contenido podr\u00eda ser accedido y ejecutado, posiblemente aprovechando una vulnerabilidad independiente. Craft CMS redirige las solicitudes que requieren autenticaci\u00f3n a la p\u00e1gina de inicio de sesi\u00f3n y genera un archivo de sesi\u00f3n en el servidor, en `/var/lib/php/sessions`. Estos archivos de sesi\u00f3n se denominan `sess_[session_value]`, donde `[session_value]` se proporciona al cliente en un encabezado de respuesta `Set-Cookie`. Craft CMS almacena la URL de retorno solicitada por el cliente sin par\u00e1metros de limpieza. Por lo tanto, un cliente no autenticado puede introducir valores arbitrarios, como c\u00f3digo PHP, en una ubicaci\u00f3n de archivo local conocida en el servidor. Se han publicado las versiones 5.7.5 y 4.15.3 de Craft CMS para solucionar este problema."
}
],
"id": "CVE-2025-35939",
"lastModified": "2025-10-24T13:45:43.720",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"type": "Secondary"
}
]
},
"published": "2025-05-07T23:15:54.103",
"references": [
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/pull/17220"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Release Notes"
],
"url": "https://github.com/craftcms/cms/releases/tag/4.15.3"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Release Notes"
],
"url": "https://github.com/craftcms/cms/releases/tag/5.7.5"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"Third Party Advisory"
],
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json"
},
{
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"tags": [
"VDB Entry"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35939"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939"
}
],
"sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-472"
}
],
"source": "9119a7d8-5eab-497f-8521-727c672e3725",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-46731
Vulnerability from fkie_nvd - Published: 2025-05-05 20:15 - Updated: 2025-09-03 18:06
Severity ?
Summary
Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "19F1EF57-9522-4B85-AFEC-E6365B53E006",
"versionEndExcluding": "4.14.13",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C589642-07F3-453E-90A1-2227F528A784",
"versionEndExcluding": "5.6.15",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue."
},
{
"lang": "es",
"value": "Craft es un sistema de gesti\u00f3n de contenido. Las versiones de Craft CMS en la rama 4.x anterior a la 4.14.13 y en la rama 5.x anterior a la 5.6.16 contienen una posible vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de Twig SSTI. Se requiere acceso de administrador y la opci\u00f3n `ALLOW_ADMIN_CHANGES` debe estar habilitada para que esto funcione. Los usuarios deben actualizar a las versiones parcheadas 4.14.13 o 5.6.15 para mitigar el problema."
}
],
"id": "CVE-2025-46731",
"lastModified": "2025-09-03T18:06:16.593",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-05-05T20:15:21.460",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "http://github.com/craftcms/cms/pull/17026"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38"
},
{
"source": "security-advisories@github.com",
"tags": [
"Not Applicable"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1336"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-32432
Vulnerability from fkie_nvd - Published: 2025-04-25 15:15 - Updated: 2025-04-28 20:57
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCB171F0-5C1B-48AE-831E-711510AA3BB9",
"versionEndExcluding": "3.9.15",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "502743C7-CDF1-4644-8371-FFB97DE1A4E6",
"versionEndExcluding": "4.14.15",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA89FA02-0C55-47CE-8B8B-4A383F6F2E65",
"versionEndExcluding": "5.6.17",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892."
},
{
"lang": "es",
"value": "Craft es un CMS flexible e intuitivo para crear experiencias digitales personalizadas en la web y m\u00e1s all\u00e1. Desde la versi\u00f3n 3.0.0-RC1 hasta anteriores a la 3.9.15, desde la 4.0.0-RC1 hasta anteriores a la 4.14.15 y desde la 5.0.0-RC1 hasta anteriores a la 5.6.17, Craft es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo. Este es un vector de ataque de alto impacto y baja complejidad. Este problema se ha corregido en las versiones 3.9.15, 4.14.15 y 5.6.17, y constituye una correcci\u00f3n adicional para CVE-2023-41892."
}
],
"id": "CVE-2025-32432",
"lastModified": "2025-04-28T20:57:06.397",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-04-25T15:15:36.440",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Broken Link"
],
"url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Press/Media Coverage"
],
"url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-68456 (GCVE-0-2025-68456)
Vulnerability from cvelistv5 – Published: 2026-01-05 22:03 – Updated: 2026-01-06 19:03
VLAI?
Title
Unauthenticated Craft CMS users can trigger a database backup
Summary
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68456",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:26:08.082464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T19:03:45.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.21"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-202",
"description": "CWE-202: Exposure of Sensitive Information Through Data Queries",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T22:03:11.155Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr"
},
{
"name": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39"
},
{
"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
}
],
"source": {
"advisory": "GHSA-v64r-7wg9-23pr",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Craft CMS users can trigger a database backup"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68456",
"datePublished": "2026-01-05T22:03:11.155Z",
"dateReserved": "2025-12-17T20:22:35.081Z",
"dateUpdated": "2026-01-06T19:03:45.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68455 (GCVE-0-2025-68455)
Vulnerability from cvelistv5 – Published: 2026-01-05 21:59 – Updated: 2026-01-06 19:04
VLAI?
Title
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Summary
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Severity ?
CWE
- CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68455",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:26:28.391418Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T19:04:15.687Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.21"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-470",
"description": "CWE-470: Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:59:00.997Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"
},
{
"name": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7"
},
{
"name": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef"
},
{
"name": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593"
},
{
"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
}
],
"source": {
"advisory": "GHSA-255j-qw47-wjh5",
"discovery": "UNKNOWN"
},
"title": "Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68455",
"datePublished": "2026-01-05T21:59:00.997Z",
"dateReserved": "2025-12-17T20:22:35.081Z",
"dateUpdated": "2026-01-06T19:04:15.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68454 (GCVE-0-2025-68454)
Vulnerability from cvelistv5 – Published: 2026-01-05 21:56 – Updated: 2026-01-06 19:04
VLAI?
Title
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
Summary
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Severity ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:26:38.362016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T19:04:27.472Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.21"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS\u0027 recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:56:00.892Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383"
},
{
"name": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe"
},
{
"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
}
],
"source": {
"advisory": "GHSA-742x-x762-7383",
"discovery": "UNKNOWN"
},
"title": "Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68454",
"datePublished": "2026-01-05T21:56:00.892Z",
"dateReserved": "2025-12-17T20:22:35.081Z",
"dateUpdated": "2026-01-06T19:04:27.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68437 (GCVE-0-2025-68437)
Vulnerability from cvelistv5 – Published: 2026-01-05 21:52 – Updated: 2026-01-06 19:04
VLAI?
Title
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
Summary
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_<VolumeName>_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68437",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T14:27:06.601960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T19:04:50.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.21"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL `save_\u003cVolumeName\u003e_Asset` mutation is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability arises because the `_file` input, specifically its `url` parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by providing internal IP addresses or cloud metadata endpoints as the `url`, forcing the server to make requests to these restricted services. The fetched content is then saved as an asset, which can subsequently be accessed and exfiltrated, leading to potential data exposure and infrastructure compromise. This exploitation requires specific GraphQL permissions for asset management within the targeted volume. Users should update to the patched 5.8.21 and 4.16.17 releases to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:52:29.436Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"
},
{
"name": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/013db636fdb38f3ce5657fd196b6d952f98ebc52"
},
{
"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04"
}
],
"source": {
"advisory": "GHSA-x27p-wfqw-hfcc",
"discovery": "UNKNOWN"
},
"title": "Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68437",
"datePublished": "2026-01-05T21:52:29.436Z",
"dateReserved": "2025-12-17T15:43:01.352Z",
"dateUpdated": "2026-01-06T19:04:50.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68436 (GCVE-0-2025-68436)
Vulnerability from cvelistv5 – Published: 2026-01-05 21:46 – Updated: 2026-01-06 17:38
VLAI?
Title
Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
Summary
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68436",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-06T15:35:10.723730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-06T17:38:37.097Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.21"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.16.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T21:46:01.734Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-53vf-c43h-j2x9"
},
{
"name": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/4bcb0db554e273b66ce3b75263a13414c2368fc9"
}
],
"source": {
"advisory": "GHSA-53vf-c43h-j2x9",
"discovery": "UNKNOWN"
},
"title": "Craft CMS vulnerable to potential information disclosure via unchecked asset relocation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-68436",
"datePublished": "2026-01-05T21:46:01.734Z",
"dateReserved": "2025-12-17T15:43:01.352Z",
"dateUpdated": "2026-01-06T17:38:37.097Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-57811 (GCVE-0-2025-57811)
Vulnerability from cvelistv5 – Published: 2025-08-25 17:52 – Updated: 2025-08-25 18:05
VLAI?
Title
Craft Potential Remote Code Execution via Twig SSTI
Summary
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
Severity ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57811",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-25T18:05:02.078269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T18:05:18.176Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.16.6"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.8.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-25T17:52:07.786Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc"
},
{
"name": "https://github.com/craftcms/cms/pull/17612",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/pull/17612"
},
{
"name": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc"
}
],
"source": {
"advisory": "GHSA-crcq-738g-pqvc",
"discovery": "UNKNOWN"
},
"title": "Craft Potential Remote Code Execution via Twig SSTI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-57811",
"datePublished": "2025-08-25T17:52:07.786Z",
"dateReserved": "2025-08-20T14:30:35.010Z",
"dateUpdated": "2025-08-25T18:05:18.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54417 (GCVE-0-2025-54417)
Vulnerability from cvelistv5 – Published: 2025-08-09 01:31 – Updated: 2025-08-11 13:38
VLAI?
Title
Craft contains a theoretical bypass for CVE-2025-23209
Summary
Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.
Severity ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54417",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-11T13:38:12.800909Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-11T13:38:51.609Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.13.8, \u003c 4.16.3"
},
{
"status": "affected",
"version": "\u003e= 5.5.8, \u003c 5.8.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: \"Craft CMS has a potential RCE with a compromised security key\". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft\u0027s /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-09T01:31:23.974Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-2vcf-qxv3-2mgw"
},
{
"name": "https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/a19d46be78a9ca1ea474012a10e97bed0d787f57"
}
],
"source": {
"advisory": "GHSA-2vcf-qxv3-2mgw",
"discovery": "UNKNOWN"
},
"title": "Craft contains a theoretical bypass for CVE-2025-23209"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54417",
"datePublished": "2025-08-09T01:31:23.974Z",
"dateReserved": "2025-07-21T23:18:10.281Z",
"dateUpdated": "2025-08-11T13:38:51.609Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-35939 (GCVE-0-2025-35939)
Vulnerability from cvelistv5 – Published: 2025-05-07 22:41 – Updated: 2025-10-21 22:55
VLAI?
Title
Craft CMS stores user-provided content in session files
Summary
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.
Severity ?
5.3 (Medium)
CWE
- CWE-472 - External Control of Assumed-Immutable Web Parameter
Assigner
References
Impacted products
Credits
Joel Land, undefined
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-35939",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-06T03:55:25.568262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-06-02",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:16.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-02T00:00:00+00:00",
"value": "CVE-2025-35939 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "CMS",
"vendor": "Craft",
"versions": [
{
"lessThan": "5.7.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "5.7.5"
},
{
"lessThan": "4.15.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "4.15.3"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Joel Land, undefined"
}
],
"datePublic": "2025-05-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at \u0027/var/lib/php/sessions\u0027. Such session files are named \u0027sess_[session_value]\u0027, where \u0027[session_value]\u0027 is provided to the client in a \u0027Set-Cookie\u0027 response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
},
{
"other": {
"content": {
"id": "CVE-2025-35939",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T22:40:17.180919Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-472",
"description": "CWE-472 External Control of Assumed-Immutable Web Parameter",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T20:47:41.106Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"url": "https://github.com/craftcms/cms/pull/17220"
},
{
"name": "url",
"url": "https://github.com/craftcms/cms/releases/tag/4.15.3"
},
{
"name": "url",
"url": "https://github.com/craftcms/cms/releases/tag/5.7.5"
},
{
"name": "url",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-35939"
},
{
"name": "url",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.json"
}
],
"title": "Craft CMS stores user-provided content in session files"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2025-35939",
"datePublished": "2025-05-07T22:41:29.728Z",
"dateReserved": "2025-04-15T20:57:14.329Z",
"dateUpdated": "2025-10-21T22:55:16.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46731 (GCVE-0-2025-46731)
Vulnerability from cvelistv5 – Published: 2025-05-05 19:35 – Updated: 2025-05-05 20:03
VLAI?
Title
Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
Summary
Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.
Severity ?
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46731",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-05T20:03:33.766996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T20:03:42.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.14.13"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.6.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T19:35:31.347Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38"
},
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"
},
{
"name": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production",
"tags": [
"x_refsource_MISC"
],
"url": "https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production"
},
{
"name": "http://github.com/craftcms/cms/pull/17026",
"tags": [
"x_refsource_MISC"
],
"url": "http://github.com/craftcms/cms/pull/17026"
}
],
"source": {
"advisory": "GHSA-7c58-g782-9j38",
"discovery": "UNKNOWN"
},
"title": "Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46731",
"datePublished": "2025-05-05T19:35:31.347Z",
"dateReserved": "2025-04-28T20:56:09.085Z",
"dateUpdated": "2025-05-05T20:03:42.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32432 (GCVE-0-2025-32432)
Vulnerability from cvelistv5 – Published: 2025-04-25 15:04 – Updated: 2025-04-29 03:55
VLAI?
Title
Craft CMS Allows Remote Code Execution
Summary
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
Severity ?
10 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T03:55:14.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"technical-description",
"exploit"
],
"url": "https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cms",
"vendor": "craftcms",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0-RC1, \u003c 3.9.15"
},
{
"status": "affected",
"version": "\u003e= 4.0.0-RC1, \u003c 4.14.15"
},
{
"status": "affected",
"version": "\u003e= 5.0.0-RC1, \u003c 5.6.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-25T15:04:06.272Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3"
},
{
"name": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47"
},
{
"name": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical"
},
{
"name": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical"
},
{
"name": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical"
}
],
"source": {
"advisory": "GHSA-f3gw-9ww9-jmc3",
"discovery": "UNKNOWN"
},
"title": "Craft CMS Allows Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32432",
"datePublished": "2025-04-25T15:04:06.272Z",
"dateReserved": "2025-04-08T10:54:58.368Z",
"dateUpdated": "2025-04-29T03:55:14.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}