CVE-2025-68454
published 2026-01-05CVE-2025-68454: Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.79%
51.5th percentile
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 4.0.0-RC1 < 4.16.17 | 4.16.17 |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.21 | 5.8.21 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | >= 4.0.0.1 < 4.16.17 | 4.16.17 |
| craftcms | craft_cms | >= 5.0.1 < 5.8.21 | 5.8.21 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for Twig SSTI payloads using the `map` filter in Craft CMS control panel text fields that accept Twig input (e.g., Settings fields or System Messages utility) ↗
- →Monitor Craft CMS System Messages utility for SSTI payloads — exploitation path does not require administrator access if the System Messages utility is accessible to lower-privileged accounts ↗
- →Flag Craft CMS instances running versions 5.0.0-RC1 through 5.8.20 or 4.0.0-RC1 through 4.16.16 with allowAdminChanges enabled as high-risk for RCE via SSTI ↗
- ·Exploitation requires allowAdminChanges to be enabled (non-default in production) AND administrator access to the Craft Control Panel, OR a non-admin account with access to the System Messages utility ↗
- ·Patched versions are 5.8.21 and 4.16.17; unpatched craftcms/cms (Composer package) on both Linux and Windows are affected ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.2MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
osv·2026-01-05
CVE-2025-68454 [MEDIUM] Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
For this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available.
It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Me
GHSA
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
ghsa·2026-01-05
CVE-2025-68454 [MEDIUM] CWE-1336 Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
For this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available.
It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Me
No detection rules found.
No public exploits indexed.
2026-01-05
Published