CVE-2025-68454
EPSS 0.50%Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
Description
For this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. References: https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
Affected packages (1)
- Packagist/craftcms/cms>= 5.0.0-RC1, < 5.8.21
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-68454
- PATCHhttps://github.com/craftcms/cms
- WEBhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
- WEBhttps://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe
- WEBhttps://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383