216.73.216.170

CVE-2025-46731

· Published 05/05/2025 20:15 · Modified 05/05/2025 20:54

Labels: CVE-2025-46731 2025-05-05CVE-2025-46731CWE-1336[email protected]

Essential information

Published
05/05/2025 20:15
Modified
05/05/2025 20:54
Author
Creator
CVSS
7.3 HIGH (v3) 7.3 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.

NVD status

Status
Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
craft / craft cms cpe:2.3:a:craft:craft_cms:<4.14.13:*:*:*:*:*:*:*
craft / craft cms cpe:2.3:a:craft:craft_cms:<5.6.16:*:*:*:*:*:*:*

References