CVE-2025-68454
Unknown Unknown - Not Provided

Authenticated Twig SSTI in Craft CMS Enables Remote Code Execution

Vulnerability report for CVE-2025-68454, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-07-06
AI Q&A
2026-01-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
craftcms craft From 5.0.0 (inc) to 5.8.20 (inc)
craftcms craft From 4.0.0 (inc) to 4.16.16 (inc)
craftcms craft 5.8.21
craftcms craft 4.16.17

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. It allows potential authenticated Remote Code Execution (RCE) via Twig Server-Side Template Injection (SSTI). To exploit it, an attacker needs administrator access to the Craft Control Panel with allowAdminChanges enabled, or a non-administrator account with access to the System Messages utility and allowAdminChanges disabled. The attacker can craft a malicious payload using the Twig 'map' filter in text fields that accept Twig input, which could lead to executing arbitrary code on the server. Updating to versions 5.8.21 or 4.16.17 mitigates this issue.

Impact Analysis

This vulnerability can lead to Remote Code Execution on the server hosting the Craft CMS, allowing an attacker with certain access privileges to execute arbitrary code. This can compromise the server, potentially leading to data theft, data loss, service disruption, or further attacks within the network.

Mitigation Strategies

Update Craft CMS to the patched versions 5.8.21 or 4.16.17. Additionally, ensure that allowAdminChanges is disabled in any non-development environment, as enabling it increases risk. Limit administrator access to trusted users and restrict access to the System Messages utility to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68454. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart