CVE-2025-46731

HIGH

Craft CMS <4.14.13, <5.6.16 - Authenticated RCE

Title source: llm

Description

Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.

Exploits (1)

nomisec STUB

by singetu0096 · poc

https://github.com/singetu0096/CVE-2025-46731

View Code ZIP pw:eip

References (4)

[Patch] http://github.com/craftcms/cms/pull/17026

[Product] https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production

[Third Party Advisory] https://github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38

[Not Applicable] https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv

Scores

CVSS v3 7.2

EPSS 0.0091

EPSS Percentile 75.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1336

Status published

Products (4)

craftcms/cms 4.0.0-RC1 - 4.14.13Packagist

craftcms/craft_cms 4.0.0 rc1 (3 CPE variants)

craftcms/craft_cms 5.0.0 rc1

craftcms/craft_cms 4.1.0 - 4.14.13

Published May 05, 2025

Tracked Since Feb 18, 2026