Remote Code Execution Vulnerability in Craft CMS by Craft
CVE-2025-46731
Key Information:
Badges
What is CVE-2025-46731?
CVE-2025-46731 is a critical remote code execution vulnerability found in Craft CMS, a widely used content management system designed for building and managing websites. This vulnerability affects versions of Craft CMS in the 4.x branch prior to 4.14.13 and in the 5.x branch prior to 5.6.16. The issue arises from a server-side template injection (SSTI) vulnerability through the Twig templating engine, which could potentially allow an attacker to execute arbitrary code on the server. For this exploit to be successful, an attacker must possess administrator access and the ALLOW_ADMIN_CHANGES
option must be enabled in the system settings. If exploited, this vulnerability can significantly compromise the integrity and security of affected organizations, potentially allowing unauthorized access to sensitive data and system resources.
Potential impact of CVE-2025-46731
-
Unauthorized Code Execution: Attackers exploiting this vulnerability can execute arbitrary code on affected systems, leading to a complete loss of control over the Craft CMS environment. This could allow for the installation of malicious software, data theft, and web defacement.
-
Data Breaches: With remote code execution capabilities, adversaries can access sensitive data stored within the CMS, including user personal information, credentials, and proprietary content, raising severe privacy and compliance risks for organizations.
-
Wider Network Compromise: Exploiting this vulnerability may enable attackers to pivot to other systems within the same network, increasing the potential for a broader compromise. This could result in cascading failures across interconnected systems, impacting overall organizational operations and security posture.
Affected Version(s)
cms >= 4.0.0-RC1, < 4.14.13 < 4.0.0-RC1, 4.14.13
cms >= 5.0.0-RC1, < 5.6.15 < 5.0.0-RC1, 5.6.15
References
CVSS V4
Timeline
- ๐พ
Exploit known to exist
- ๐
Vulnerability started trending
Vulnerability published
Vulnerability Reserved