CVE-2025-57811

Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
VendorProductVersion
craftcmscraft_cms
4.1.0 ≤
𝑥
< 4.16.6
craftcmscraft_cms
5.1.0 ≤
𝑥
< 5.8.7
craftcmscraft_cms
4.0.0:rc1
craftcmscraft_cms
4.0.0:rc2
craftcmscraft_cms
4.0.0:rc3
craftcmscraft_cms
5.0.0:rc1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc
https://github.com/craftcms/cms/pull/17612
https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc