What is the CVSS score of CVE-2025-68454?

CVE-2025-68454 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.4%.

Which versions of Craft Cms are affected by CVE-2025-68454?

Organizations using Craft face significant risk from CVE-2025-68454 rated CVSS 8.8.. A patch is available.

Is there a public PoC exploit available for CVE-2025-68454?

Yes, a public proof-of-concept exploit is available for CVE-2025-68454. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2025-68454?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Craft Cms CVE-2025-68454

HIGH

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2026-01-05 security-advisories@github.com

GHSA-742x-x762-7383

RCE Craft Cms

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 12, 2026 - 18:23 vuln.today

Public exploit code

Patch released

Jan 12, 2026 - 18:23 nvd

Patch available

CVE Published

Jan 05, 2026 - 22:15 nvd

HIGH 8.8

DescriptionNVD

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

AnalysisAI

Technical ContextAI

Affects Craft Cms. Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to t

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

CVE-2025-68454 vulnerability details – vuln.today

Back

Craft Cms CVE-2025-68454

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code