CVE-2025-68454

Exploit

EPSS 0.79%
Veröffentlicht 05.01.2026 21:56:00
Zuletzt bearbeitet 12.01.2026 18:23:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 8 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Craftcms ≫ Craft Cms Version >= 4.0.0.1 < 4.16.17

Craftcms ≫ Craft Cms Version >= 5.0.1 < 5.8.21

Craftcms ≫ Craft Cms Version4.0.0 Update-

Craftcms ≫ Craft Cms Version4.0.0 Updaterc1

Craftcms ≫ Craft Cms Version4.0.0 Updaterc2

Craftcms ≫ Craft Cms Version4.0.0 Updaterc3

Craftcms ≫ Craft Cms Version5.0.0 Update-

Craftcms ≫ Craft Cms Version5.0.0 Updaterc1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.79%	0.513

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	5.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04

Product

Release Notes

https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383

Vendor Advisory

Exploit

https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-68454

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-68454

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-68454

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-68454