CVE-2025-54417

Name of the Vulnerable Software and Affected Versions Craft versions 4.13.8 through 4.16.2 Craft versions 5.5.8 through 5.8.3

Description Craft is a platform for creating digital experiences. A vulnerability exists that allows bypassing security measures, potentially leading to remote code execution (RCE) with a compromised security key. To exploit this issue, an attacker must have a compromised security key and the ability to create an arbitrary file in Craft's /storage/backups folder. Exploitation involves sending a malicious request to the /updater/restore-db endpoint, enabling the execution of CLI commands remotely.

Recommendations Craft versions prior to 4.16.3 Craft versions prior to 5.8.4