CVE-2025-57811
published 2025-08-25CVE-2025-57811: Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution…
PriorityP349high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.80%
52.1th percentile
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 4.0.0-RC1 < 4.17.0-beta.1 | 4.17.0-beta.1 |
| craftcms | cms | >= 4.0.0-RC1 < 4.16.6 | 4.16.6 |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.7 | 5.8.7 |
| craftcms | cms | >= 5.8.7 < 5.9.0-beta.1 | 5.9.0-beta.1 |
| craftcms | craft_cms | < 4.17.0 | 4.17.0 |
| craftcms | craft_cms | < 5.9.0 | 5.9.0 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | >= 4.1.0 < 4.16.6 | 4.16.6 |
| craftcms | craft_cms | >= 5.1.0 < 5.8.7 | 5.8.7 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa6.1MEDIUM
osv6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
ghsa·2026-03-03·CVSS 6.1
CVE-2026-28695 [MEDIUM] CWE-1336 Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain.
This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).
## Required Permissions
- Administrator permissions or access to System Messages utility
- `allowAdminChanges` enabled in production ([against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production)) or access to System Messages utility
## Vulnerability Details
The `create()` Twig function exposes `Craft::createObject()`, which allows instantiation of arbitrary PHP classes wi
OSV
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
osv·2026-03-03·CVSS 6.1
CVE-2026-28695 [MEDIUM] Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget
There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the `create()` Twig function combined with a Symfony Process gadget chain.
This bypasses the fix implemented for CVE-2025-57811 (patched in 5.8.7).
## Required Permissions
- Administrator permissions or access to System Messages utility
- `allowAdminChanges` enabled in production ([against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production)) or access to System Messages utility
## Vulnerability Details
The `create()` Twig function exposes `Craft::createObject()`, which allows instantiation of arbitrary PHP classes wi
OSV
Craft CMS Potential Remote Code Execution via Twig SSTI
osv·2025-08-25
CVE-2025-57811 [MEDIUM] Craft CMS Potential Remote Code Execution via Twig SSTI
Craft CMS Potential Remote Code Execution via Twig SSTI
Note that users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Note: This is a follow-up to [GHSA-f3cw-hg6r-chfv](https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv)
Users should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue.
Resources: https://github.com/craftcms/cms/pull/17612
GHSA
Craft CMS Potential Remote Code Execution via Twig SSTI
ghsa·2025-08-25
CVE-2025-57811 [MEDIUM] CWE-1336 Craft CMS Potential Remote Code Execution via Twig SSTI
Craft CMS Potential Remote Code Execution via Twig SSTI
Note that users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Note: This is a follow-up to [GHSA-f3cw-hg6r-chfv](https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv)
Users should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue.
Resources: https://github.com/craftcms/cms/pull/17612
No detection rules found.
No public exploits indexed.
2025-08-25
Published