CVE-2025-68454
Unknown Unknown - Not Provided
Authenticated Twig SSTI in Craft CMS Enables Remote Code Execution

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: GitHub, Inc.

Description
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68454
EUVD
EUVD-2026-0844
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
craftcms craft From 5.0.0 (inc) to 5.8.20 (inc)
craftcms craft From 4.0.0 (inc) to 4.16.16 (inc)
craftcms craft 5.8.21
craftcms craft 4.16.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. It allows potential authenticated Remote Code Execution (RCE) via Twig Server-Side Template Injection (SSTI). To exploit it, an attacker needs administrator access to the Craft Control Panel with allowAdminChanges enabled, or a non-administrator account with access to the System Messages utility and allowAdminChanges disabled. The attacker can craft a malicious payload using the Twig 'map' filter in text fields that accept Twig input, which could lead to executing arbitrary code on the server. Updating to versions 5.8.21 or 4.16.17 mitigates this issue.

Impact Analysis

This vulnerability can lead to Remote Code Execution on the server hosting the Craft CMS, allowing an attacker with certain access privileges to execute arbitrary code. This can compromise the server, potentially leading to data theft, data loss, service disruption, or further attacks within the network.

Mitigation Strategies

Update Craft CMS to the patched versions 5.8.21 or 4.16.17. Additionally, ensure that allowAdminChanges is disabled in any non-development environment, as enabling it increases risk. Limit administrator access to trusted users and restrict access to the System Messages utility to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68454. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart