What is the CVSS score of CVE-2025-23209?

CVE-2025-23209 has a CVSS 3.1 base score of 8.0 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 19.1%.

Which versions of Craft Cms are affected by CVE-2025-23209?

Organizations using Craft face notable risk from CVE-2025-23209, a code injection vulnerability rated CVSS 8.0.. A patch is available.

Is CVE-2025-23209 being actively exploited?

Yes, CVE-2025-23209 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation. Immediate patching is required.

How to fix or mitigate CVE-2025-23209?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Craft Cms CVE-2025-23209

HIGH

Code Injection (CWE-94)

2025-01-18 security-advisories@github.com

RCE Code Injection Craft Cms

8.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:04 vuln.today

Patch released

Mar 28, 2026 - 18:04 nvd

Patch available

Added to CISA KEV

Oct 24, 2025 - 13:59 cisa

CISA KEV

CVE Published

Jan 18, 2025 - 01:15 nvd

HIGH 8.0

DescriptionNVD

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.

AnalysisAI

Craft CMS 4 and 5 contain a remote code execution vulnerability exploitable when the application's security key has been compromised, allowing attackers with the key to execute arbitrary code on the server.

Technical ContextAI

The CWE-94 code injection requires knowledge of the Craft CMS security key (used for signing cookies and tokens). With the key, attackers can craft signed payloads that the CMS trusts and processes, leading to PHP code execution.

RemediationAI

Update Craft CMS. Rotate the security key immediately. Ensure .env files are not publicly accessible. Check git repositories for accidentally committed secrets.

CVE-2025-23209 vulnerability details – vuln.today

Back

Craft Cms CVE-2025-23209

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code