Remote Code Execution Vulnerability in Craft CMS by Craft

CVE-2025-46731

What is CVE-2025-46731?

CVE-2025-46731 is a remote code execution vulnerability identified in Craft CMS, a widely used content management system (CMS) designed for building websites and applications. This vulnerability specifically affects versions of Craft CMS in the 4.x branch prior to 4.14.13 and the 5.x branch prior to 5.6.16. If exploited, it can enable an attacker with administrator access to execute arbitrary code on the server due to an issue within the Twig server-side template injection (SSTI) mechanism. Organizations utilizing affected versions of Craft CMS are at risk of significant operational disruptions and data compromise, especially if the ALLOW_ADMIN_CHANGES feature is enabled.

Technical Details

The vulnerability arises from the implementation of Twig SSTI in Craft CMS, which can allow unauthorized execution of malicious code/input under certain conditions. For the exploit to be successful, an attacker needs to have administrator access already, which adds a layer of complexity to the attack. Specifically, the exploit requires the ALLOW_ADMIN_CHANGES setting to be enabled, which is typically a risk if not properly configured in production environments.

Organizations are advised to upgrade their Craft CMS installations to versions 4.14.13 or 5.6.16 and above to mitigate this vulnerability effectively.

Potential Impact of CVE-2025-46731

1. Remote Code Execution: The ability for an unauthorized user to execute arbitrary code can lead to full system compromise, allowing attackers to manipulate or steal sensitive data.

2. Data breaches: If exploited, this vulnerability could result in unauthorized access to organizational data, leading to potential data leaks, loss of customer trust, and compliance violations.

3. Operational Disruption: Successful exploitation might lead to service downtime, affecting website functionality and accessibility, which could disrupt business operations and service delivery.

References