CVE-2025-46731

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.14.12 Craft CMS versions 5.0.0-RC1 through 5.6.15

Description Craft is a content management system that contains a potential remote code execution vulnerability via Twig SSTI. This issue can be exploited if an attacker has administrator access and the ALLOW ADMIN CHANGES option is enabled. It is estimated that around 23,000 devices may be affected. To mitigate the issue, users should update to the patched versions 4.14.13 or 5.6.15.

Recommendations For Craft CMS versions 4.0.0-RC1 through 4.14.12, update to version 4.14.13 to resolve the issue. For Craft CMS versions 5.0.0-RC1 through 5.6.15, update to version 5.6.15 to resolve the issue. As a temporary workaround, consider setting ALLOW ADMIN CHANGES to false in production to minimize the risk of exploitation.