Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.
Metrics
Affected Vendors & Products
References
History
Wed, 03 Sep 2025 18:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Craftcms
Craftcms craft Cms |
|
CPEs | cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:* cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:* |
|
Vendors & Products |
Craftcms
Craftcms craft Cms |
|
Metrics |
cvssV3_1
|
Sat, 12 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
epss
|
Mon, 05 May 2025 19:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue. | |
Title | Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI | |
Weaknesses | CWE-1336 | |
References |
| |
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-05-05T20:03:42.802Z
Reserved: 2025-04-28T20:56:09.085Z
Link: CVE-2025-46731

No data.

Status : Analyzed
Published: 2025-05-05T20:15:21.460
Modified: 2025-09-03T18:06:16.593
Link: CVE-2025-46731

No data.

No data.