Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-qrmg-jky7-87cb
Vulnerability ID VCID-qrmg-jky7-87cb
Aliases CVE-2025-68454
GHSA-742x-x762-7383
Summary Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00499 https://api.first.org/data/v1/epss?cve=CVE-2025-68454
epss 0.00499 https://api.first.org/data/v1/epss?cve=CVE-2025-68454
epss 0.00499 https://api.first.org/data/v1/epss?cve=CVE-2025-68454
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-742x-x762-7383
cvssv4 5.2 https://github.com/craftcms/cms
generic_textual MODERATE https://github.com/craftcms/cms
cvssv4 5.2 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
generic_textual MODERATE https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
ssvc Track https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
cvssv4 5.2 https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe
generic_textual MODERATE https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe
ssvc Track https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe
cvssv3.1_qr MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383
cvssv4 5.2 https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383
generic_textual MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383
ssvc Track https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383
cvssv4 5.2 https://nvd.nist.gov/vuln/detail/CVE-2025-68454
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-68454
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-68454
CHANGELOG.md#5821---2025-12-04 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
CVE-2025-68454 https://nvd.nist.gov/vuln/detail/CVE-2025-68454
d82680f4a05f9576883bb83c3f6243d33ca73ebe https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe
GHSA-742x-x762-7383 https://github.com/advisories/GHSA-742x-x762-7383
GHSA-742x-x762-7383 https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/craftcms/cms
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/ Found at https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/ Found at https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-06T14:26:38Z/ Found at https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U Found at https://nvd.nist.gov/vuln/detail/CVE-2025-68454
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.66351
EPSS Score 0.00499
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:58:55.115148+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/68xxx/CVE-2025-68454.json 38.6.0