CVE-2025-46731: Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI

May 5, 2025

Craft CMS contains a potential remote code execution vulnerability via Twig SSTI. You must have administrator access and ALLOW_ADMIN_CHANGES must be enabled for this to work.

https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production

Note: This is a follow-up to https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv

Users should update to the patched versions (4.14.13 and 5.6.15) to mitigate the issue.

References

craftcms.com/knowledge-base/securing-craft
github.com/advisories/GHSA-7c58-g782-9j38
github.com/craftcms/cms
github.com/craftcms/cms/security/advisories/GHSA-7c58-g782-9j38
github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv
nvd.nist.gov/vuln/detail/CVE-2025-46731

Code Behaviors & Features

Detect and mitigate CVE-2025-46731 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →