CVE-2025-46731

Published May 5, 2025

Last updated 2 days ago

CVSS high 7.3
Craft CMS

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-46731 is a potential remote code execution vulnerability found in Craft CMS. The vulnerability exists in versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16. It is related to Twig Server-Side Template Injection (SSTI). To exploit this vulnerability, an attacker must have administrator access and the `ALLOW_ADMIN_CHANGES` setting must be enabled. Users are advised to update to patched versions 4.14.13 or 5.6.15 to mitigate the issue.

Description
Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
7.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-1336

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

50

  1. 🚨 CVE-2025-46731 🔴 HIGH (7.3) 🏢 craftcms - cms 🏗️ >= 4.0.0-RC1, < 4.14.13 🔗 https://t.co/v3Jfc64w1C 🔗 https://t.co/kRRvbefPt6 🔗 https://t.co/qCIKeStVZL 🔗 https://t.co/kAzP2Mf15v #CyberCron #VulnAlert #InfoSec https://t.co/DffqqakIEN

    @cybercronai

    6 May 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 初CVEを取りました CVE-2025-46731 は、Craft CMS の管理画面における Twig SSTIによるRCEで、CVSS は 7.3(High)となります。 この脆弱性を解消するには、パッチ適用済みの Craft CMS バージョン 4.14.13 または 5.6.15 へアッ

    @fubukiyokiyoki

    6 May 2025

    45288 Impressions

    35 Retweets

    350 Likes

    41 Bookmarks

    18 Replies

    3 Quotes

  3. CVE-2025-46731 Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code … https://t.co/3fH9YipHPq

    @CVEnew

    5 May 2025

    927 Impressions

    1 Retweet

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

References