CVE-2025-52122

CRITICAL

Freeform 5.0.0-5.10.15 - Server-Side Template Injection via Form Submission Title

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-52122. PoCs published by TimTrademark.

AI-analyzed exploit summary This repository demonstrates a Server-Side Template Injection (SSTI) vulnerability in CraftCMS Freeform, allowing arbitrary code execution via the 'call' Twig filter. The PoC shows how an attacker can inject a system command (e.g., curl) through a crafted submission title, leading to RCE.

Description

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title).

Exploits (1)

nomisec WORKING POC
by TimTrademark · poc
https://github.com/TimTrademark/CVE-2025-52122

This repository demonstrates a Server-Side Template Injection (SSTI) vulnerability in CraftCMS Freeform, allowing arbitrary code execution via the 'call' Twig filter. The PoC shows how an attacker can inject a system command (e.g., curl) through a crafted submission title, leading to RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: CraftCMS Freeform v5.0.0 to v5.10.15
Auth required
Prerequisites: Access to edit a form in CraftCMS Freeform · Ability to submit a crafted form with malicious Twig template
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory
https://github.com/TimTrademark/CVE-2025-52122

Scores

CVSS v3 9.8
EPSS 0.0015
EPSS Percentile 36.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-1336 CWE-94
Status published
Products (2)
solspace/craft-freeform 5.0.0 - 5.10.16Packagist
solspace/freeform 5.0.0 - 5.10.16
Published Aug 27, 2025
Tracked Since Feb 18, 2026