Remote Code Execution Vulnerability in Craft CMS by Craft
CVE-2025-46731

7.3HIGH

Key Information:

Vendor

Craftcms

Status
Vendor
CVE Published:
5 May 2025

Badges

๐Ÿ“ˆ Trended๐Ÿ“ˆ Score: 4,810๐Ÿ‘พ Exploit Exists

What is CVE-2025-46731?

CVE-2025-46731 is a critical remote code execution vulnerability found in Craft CMS, a widely used content management system designed for building and managing websites. This vulnerability affects versions of Craft CMS in the 4.x branch prior to 4.14.13 and in the 5.x branch prior to 5.6.16. The issue arises from a server-side template injection (SSTI) vulnerability through the Twig templating engine, which could potentially allow an attacker to execute arbitrary code on the server. For this exploit to be successful, an attacker must possess administrator access and the ALLOW_ADMIN_CHANGES option must be enabled in the system settings. If exploited, this vulnerability can significantly compromise the integrity and security of affected organizations, potentially allowing unauthorized access to sensitive data and system resources.

Potential impact of CVE-2025-46731

  1. Unauthorized Code Execution: Attackers exploiting this vulnerability can execute arbitrary code on affected systems, leading to a complete loss of control over the Craft CMS environment. This could allow for the installation of malicious software, data theft, and web defacement.

  2. Data Breaches: With remote code execution capabilities, adversaries can access sensitive data stored within the CMS, including user personal information, credentials, and proprietary content, raising severe privacy and compliance risks for organizations.

  3. Wider Network Compromise: Exploiting this vulnerability may enable attackers to pivot to other systems within the same network, increasing the potential for a broader compromise. This could result in cascading failures across interconnected systems, impacting overall organizational operations and security posture.

Affected Version(s)

cms >= 4.0.0-RC1, < 4.14.13 < 4.0.0-RC1, 4.14.13

cms >= 5.0.0-RC1, < 5.6.15 < 5.0.0-RC1, 5.6.15

References

CVSS V4

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ˆ

    Vulnerability started trending

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-46731 : Remote Code Execution Vulnerability in Craft CMS by Craft