{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57972?format=json","vulnerability_id":"VCID-h6t5-pdp5-8qhe","summary":"Craft CMS Potential Remote Code Execution via Twig SSTI\nNote that users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment.\n\nhttps://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production\n\nNote: This is a follow-up to [GHSA-f3cw-hg6r-chfv](https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv)\n\nUsers should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue.\n\nResources: https://github.com/craftcms/cms/pull/17612","aliases":[{"alias":"CVE-2025-57811"},{"alias":"GHSA-crcq-738g-pqvc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/86230?format=json","purl":"pkg:composer/craftcms/cms@4.16.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.16.6"},{"url":"http://public2.vulnerablecode.io/api/packages/74412?format=json","purl":"pkg:composer/craftcms/cms@5.8.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-qwmy-d2e8-5khw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.8.7"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/65261?format=json","purl":"pkg:composer/craftcms/cms@4.0.0-RC1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-27cr-w1um-d3e5"},{"vulnerability":"VCID-2vn9-2cs3-vbg3"},{"vulnerability":"VCID-41y2-tucq-ykaj"},{"vulnerability":"VCID-5cxe-tjpb-3qan"},{"vulnerability":"VCID-5pur-jy1x-gfhv"},{"vulnerability":"VCID-6gwq-1fda-xkcj"},{"vulnerability":"VCID-6h71-zkte-v3ev"},{"vulnerability":"VCID-71sv-62m4-z3er"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-91sx-dk5s-dycz"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-aajd-9qsf-37cr"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-c2nk-y4rx-1qf4"},{"vulnerability":"VCID-chep-xthg-zuee"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-dz26-b2ts-puep"},{"vulnerability":"VCID-ec34-nvn3-qbcb"},{"vulnerability":"VCID-f7gc-cgka-tycr"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jhen-vhqx-n7dr"},{"vulnerability":"VCID-jsfs-azcs-mfcm"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qcwp-su57-9fa1"},{"vulnerability":"VCID-qq68-3j4y-47am"},{"vulnerability":"VCID-qwmy-d2e8-5khw"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-r5hp-5nju-9ubz"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-van9-c9qy-5bh5"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-w9yn-1573-hyau"},{"vulnerability":"VCID-ymw8-mvrz-e7bc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@4.0.0-RC1"},{"url":"http://public2.vulnerablecode.io/api/packages/73168?format=json","purl":"pkg:composer/craftcms/cms@5.0.0-RC1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1468-4fdx-kbfr"},{"vulnerability":"VCID-1mb5-28xp-ckd2"},{"vulnerability":"VCID-39ct-cg7w-kyb6"},{"vulnerability":"VCID-4wkr-jx1w-77hn"},{"vulnerability":"VCID-5cxe-tjpb-3qan"},{"vulnerability":"VCID-5mnd-qvaq-k3am"},{"vulnerability":"VCID-5q5g-jrxm-eyhe"},{"vulnerability":"VCID-71sv-62m4-z3er"},{"vulnerability":"VCID-7y4f-ef7t-47eb"},{"vulnerability":"VCID-8u2j-17a4-q7eh"},{"vulnerability":"VCID-9enr-b6zd-mbh8"},{"vulnerability":"VCID-a3b5-pwyh-yugv"},{"vulnerability":"VCID-akrv-yqnf-1kg8"},{"vulnerability":"VCID-azr5-12f8-hfbm"},{"vulnerability":"VCID-c2nk-y4rx-1qf4"},{"vulnerability":"VCID-cys8-jnmu-77ec"},{"vulnerability":"VCID-esma-wxje-eqh3"},{"vulnerability":"VCID-fpea-e48p-kfbn"},{"vulnerability":"VCID-h6t5-pdp5-8qhe"},{"vulnerability":"VCID-hkp9-3hzv-quhk"},{"vulnerability":"VCID-hyct-5gap-7kdu"},{"vulnerability":"VCID-jeyh-3jxd-z3g6"},{"vulnerability":"VCID-jsfs-azcs-mfcm"},{"vulnerability":"VCID-jxz8-g6fq-dubw"},{"vulnerability":"VCID-kbrc-85av-nfcn"},{"vulnerability":"VCID-m5rf-usae-yfb7"},{"vulnerability":"VCID-pgm4-svq8-tfc5"},{"vulnerability":"VCID-ppet-ruae-1kav"},{"vulnerability":"VCID-qq68-3j4y-47am"},{"vulnerability":"VCID-qywv-vf4r-8bh9"},{"vulnerability":"VCID-r5hp-5nju-9ubz"},{"vulnerability":"VCID-rb7c-3nkc-gkeg"},{"vulnerability":"VCID-twuy-wzb7-k7g3"},{"vulnerability":"VCID-vasz-rnn1-67ev"},{"vulnerability":"VCID-vvhc-rnpr-ubey"},{"vulnerability":"VCID-w9yn-1573-hyau"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/craftcms/cms@5.0.0-RC1"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57811","reference_id":"","reference_type":"","scores":[{"value":"0.00227","scoring_system":"epss","scoring_elements":"0.45595","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57811"},{"reference_url":"https://github.com/craftcms/cms","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms"},{"reference_url":"https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbc"},{"reference_url":"https://github.com/craftcms/cms/pull/17612","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/pull/17612"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57811","reference_id":"CVE-2025-57811","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57811"},{"reference_url":"https://github.com/advisories/GHSA-crcq-738g-pqvc","reference_id":"GHSA-crcq-738g-pqvc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-crcq-738g-pqvc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc","reference_id":"GHSA-crcq-738g-pqvc","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-25T18:05:02Z/"}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvc"},{"reference_url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv","reference_id":"GHSA-f3cw-hg6r-chfv","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv"}],"weaknesses":[{"cwe_id":1336,"name":"Improper Neutralization of Special Elements Used in a Template Engine","description":"The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine."},{"cwe_id":22,"name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","description":"The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory."},{"cwe_id":94,"name":"Improper Control of Generation of Code ('Code Injection')","description":"The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h6t5-pdp5-8qhe"}