CVE-2025-68454Improper Neutralization of Special Elements Used in a Template Engine in Craft CMS

CWE-1336Improper Neutralization of Special Elements Used in a Template Engine5 documents5 sources
Severity
5.2MEDIUMNVD
EPSS
0.5%
top 33.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedJan 5

Description

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to t

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

Packagistcraftcms/cms5.0.0-RC15.8.21+1
NVDcraftcms/craft_cms4.0.0.14.16.17+3
CVEListV5craftcms/cms>= 4.0.0-RC1, < 4.16.17, >= 5.0.0-RC1, < 5.8.21+1

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI2026-01-05
GHSA
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI2026-01-05
CVEList
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI2026-01-05

🕵️Threat Intelligence

1
Wiz
CVE-2025-68454 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-68454 — Craftcms Craft CMS vulnerability | cvebase