CVE-2025-46731

Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://github.com/craftcms/cms/pull/17026	Patch
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production	Product
https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38	Third Party Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv	Not Applicable

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

03 Sep 2025, 18:06

Type	Values Removed	Values Added
References	~~() http://github.com/craftcms/cms/pull/17026 -~~	() http://github.com/craftcms/cms/pull/17026 - Patch
References	~~() https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production -~~	() https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production - Product
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38 -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38 - Third Party Advisory
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv - Not Applicable
Summary		(es) Craft es un sistema de gestión de contenido. Las versiones de Craft CMS en la rama 4.x anterior a la 4.14.13 y en la rama 5.x anterior a la 5.6.16 contienen una posible vulnerabilidad de ejecución remota de código a través de Twig SSTI. Se requiere acceso de administrador y la opción `ALLOW_ADMIN_CHANGES` debe estar habilitada para que esto funcione. Los usuarios deben actualizar a las versiones parcheadas 4.14.13 o 5.6.15 para mitigar el problema.
CPE		cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:::::: cpe:2.3:a:craftcms:craft_cms:::::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
First Time		Craftcms craft Cms Craftcms

05 May 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-05 20:15

Updated : 2025-09-03 18:06

NVD link : CVE-2025-46731

Mitre link : CVE-2025-46731

CVE.ORG link : CVE-2025-46731

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-1336

7.2 /10