Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 03 Sep 2025 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Tue, 26 Aug 2025 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craft Cms
Vendors & Products Craftcms
Craftcms craft Cms

Mon, 25 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Description Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
Title Craft Potential Remote Code Execution via Twig SSTI
Weaknesses CWE-1336
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-08-25T18:05:18.176Z

Reserved: 2025-08-20T14:30:35.010Z

Link: CVE-2025-57811

cve-icon Vulnrichment

Updated: 2025-08-25T18:05:10.667Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-25T18:15:31.097

Modified: 2025-09-03T17:43:47.143

Link: CVE-2025-57811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-26T07:25:10Z