Primary

Context

Craft CMS Remote Code Execution Vulnerability via Twig Server-Side Template Injection

Vulnerability

Patched

A remote code execution vulnerability has been identified in Craft CMS versions 4.0.0-RC1 prior to 4.16.5 and 5.0.0-RC1 prior to 5.8.6. This vulnerability arises from server-side template injection (SSTI) in Twig, allowing for potential code execution. The issue requires administrator access and the 'ALLOW_ADMIN_CHANGES' setting to be enabled.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Craft CMS is hosted.

Reproduction

To reproduce this vulnerability, an administrator must upload a Twig template that includes a payload capable of executing PHP code. This can be done through the admin panel, where template files can be edited or uploaded. Once the template is saved, the injected code will be executed on the server.

Remediation

Users should update Craft CMS to version 4.16.6 or 5.8.7, where this vulnerability has been patched.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

6.0

remediation

7.9

relevance

0.4

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

6.0

remediation

7.9

relevance

0.4

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Craft CMS Remote Code Execution Vulnerability via Twig Server-Side Template Injection

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Craft CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating