Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.
References
Configurations
Configuration 1 (hide)
|
History
03 Sep 2025, 18:06
| Type | Values Removed | Values Added |
|---|---|---|
| References | () http://github.com/craftcms/cms/pull/17026 - Patch | |
| References | () https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production - Product | |
| References | () https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38 - Third Party Advisory | |
| References | () https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv - Not Applicable | |
| CPE | cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:* |
|
| First Time |
Craftcms
Craftcms craft Cms |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
05 May 2025, 20:54
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-05-05 20:15
Updated : 2025-09-03 18:06
NVD link : CVE-2025-46731
Mitre link : CVE-2025-46731
CVE.ORG link : CVE-2025-46731
JSON object : View
Products Affected
craftcms
- craft_cms
CWE
CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine