216.73.216.67

CVE-2025-54417

· Published 09/08/2025 02:15 · Modified 09/08/2025 02:15

Labels: CVE-2025-54417 2025-08-09CVE-2025-54417CWE-94[email protected]

Essential information

Published
09/08/2025 02:15
Modified
09/08/2025 02:15
Author
Creator
CVSS
5.2 MEDIUM (v3) 5.2 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
craftcms / craft cpe:2.3:a:craftcms:craft:4.13.8-4.16.2:*:*:*:*:*:*:*
craftcms / craft cpe:2.3:a:craftcms:craft:5.5.8-5.8.3:*:*:*:*:*:*:*

References