CVE-2025-68454

Name of the Vulnerable Software and Affected Versions Craft versions 5.0.0-RC1 through 5.8.20 Craft versions 4.0.0-RC1 through 4.16.16

Description Craft is susceptible to authenticated Remote Code Execution (RCE) through a Twig Server-Side Template Injection (SSTI). Successful exploitation requires administrator access to the Craft Control Panel with allowAdminChanges enabled, which is not recommended for non-development environments. Alternatively, a non-administrator account with access to the System Messages utility can be used if allowAdminChanges is disabled. A malicious payload can be crafted using the Twig map filter in text fields that accept Twig input within the Settings section of the Craft Control Panel or through the System Messages utility, potentially leading to RCE.

Recommendations Update to version 5.8.21 Update to version 4.16.17