cbcvebase.
CVE-2025-52122
published 2025-08-27

CVE-2025-52122: Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.57%
43.0th percentile
Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title).

Affected

2 ranges
VendorProductVersion rangeFixed in
solspacecraft-freeform>= 5.0.0 < 5.10.165.10.16
solspacefreeform>= 5.0.0 < 5.10.165.10.16
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.