CVE-2025-57811 — Improper Neutralization of Special Elements Used in a Template Engine in Craft CMS

CWE-1336 — Improper Neutralization of Special Elements Used in a Template Engine CWE-22 — Path Traversal CWE-94 — Code Injection9 documents5 sources

Severity

7.5HIGHNVD

NVD6.1CNA7.2CNA6.1GHSA6.1OSV6.1

EPSS

0.2%

top 61.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedAug 25

Latest updateMar 4

Description

Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Packagistcraftcms/cms5.8.7 — 5.9.0-beta.1+3

▶NVDcraftcms/craft_cms4.1.0 — 4.16.6+5

▶CVEListV5craftcms/cms4 versions+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Craft affected by authenticated RCE via Twig SSTI - create() function + Symfony Process gadget↗2026-03-04

▶

GHSA

Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget↗2026-03-03

▶

OSV

Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget↗2026-03-03

▶

OSV

Craft CMS Potential Remote Code Execution via Twig SSTI↗2025-08-25

▶

GHSA

Craft CMS Potential Remote Code Execution via Twig SSTI↗2025-08-25

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28695 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶