CVE-2025-68454
Published: 05 January 2026
Description
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control…
more
Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the SSTI vulnerability by applying vendor patches (5.8.21 or 4.16.17) to prevent RCE exploitation.
Information input validation prevents malicious Twig payloads using the map filter from being processed in text fields under Settings or System Messages.
Least privilege limits administrator access to the Craft Control Panel and System Messages utility, reducing the authenticated attack surface for SSTI exploitation.
Security SummaryAI
CVE-2025-68454 affects Craft CMS, a platform for creating digital experiences, in versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. The vulnerability enables potential authenticated remote code execution (RCE) through server-side template injection (SSTI) in the Twig templating engine, classified under CWE-1336 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires an authenticated attacker with administrator access to the Craft Control Panel where the allowAdminChanges setting is enabled, though this is against Craft CMS recommendations for non-development environments. Alternatively, a non-administrator account with access to the System Messages utility suffices. Attackers can craft a malicious payload leveraging the Twig `map` filter within text fields that accept Twig input, such as those under Settings in the control panel or the System Messages utility, resulting in RCE.
Craft CMS advisories recommend updating to the patched releases—version 5.8.21 for the 5.x series and 4.16.17 for the 4.x series—to mitigate the issue. Details are available in the project's changelog at https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04, the fixing commit at https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe, and the GitHub security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly server-side template injection (SSTI) in the Twig engine enabling authenticated RCE, directly mapping to T1221 (Template Injection). As an exploitable flaw in a public-facing web application (Craft CMS control panel), it maps to T1190 (Exploit Public-Facing Application).