cbcvebase.
CVE-2025-68454
published 2026-01-05

CVE-2025-68454: Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.79%
51.5th percentile
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Affected

8 ranges
VendorProductVersion rangeFixed in
craftcmscms
craftcmscms
craftcmscms>= 4.0.0-RC1 < 4.16.174.16.17
craftcmscms>= 5.0.0-RC1 < 5.8.215.8.21
craftcmscraft_cms
craftcmscraft_cms
craftcmscraft_cms>= 4.0.0.1 < 4.16.174.16.17
craftcmscraft_cms>= 5.0.1 < 5.8.215.8.21

Detection & IOCsextracted from sources · hover to see the quote

  • Look for Twig SSTI payloads using the `map` filter in Craft CMS control panel text fields that accept Twig input (e.g., Settings fields or System Messages utility)
  • Monitor Craft CMS System Messages utility for SSTI payloads — exploitation path does not require administrator access if the System Messages utility is accessible to lower-privileged accounts
  • Flag Craft CMS instances running versions 5.0.0-RC1 through 5.8.20 or 4.0.0-RC1 through 4.16.16 with allowAdminChanges enabled as high-risk for RCE via SSTI
  • ·Exploitation requires allowAdminChanges to be enabled (non-default in production) AND administrator access to the Craft Control Panel, OR a non-admin account with access to the System Messages utility
  • ·Patched versions are 5.8.21 and 4.16.17; unpatched craftcms/cms (Composer package) on both Linux and Windows are affected

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.2MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.