Remote Code Execution Vulnerability in Craft CMS by Craft

CVE-2025-46731

What is CVE-2025-46731?

CVE-2025-46731 is a critical remote code execution vulnerability found in Craft CMS, a widely used content management system designed for building and managing websites. This vulnerability affects versions of Craft CMS in the 4.x branch prior to 4.14.13 and in the 5.x branch prior to 5.6.16. The issue arises from a server-side template injection (SSTI) vulnerability through the Twig templating engine, which could potentially allow an attacker to execute arbitrary code on the server. For this exploit to be successful, an attacker must possess administrator access and the ALLOW_ADMIN_CHANGES option must be enabled in the system settings. If exploited, this vulnerability can significantly compromise the integrity and security of affected organizations, potentially allowing unauthorized access to sensitive data and system resources.

Potential impact of CVE-2025-46731

1. Unauthorized Code Execution: Attackers exploiting this vulnerability can execute arbitrary code on affected systems, leading to a complete loss of control over the Craft CMS environment. This could allow for the installation of malicious software, data theft, and web defacement.

2. Data Breaches: With remote code execution capabilities, adversaries can access sensitive data stored within the CMS, including user personal information, credentials, and proprietary content, raising severe privacy and compliance risks for organizations.

3. Wider Network Compromise: Exploiting this vulnerability may enable attackers to pivot to other systems within the same network, increasing the potential for a broader compromise. This could result in cascading failures across interconnected systems, impacting overall organizational operations and security posture.

References