CVE-2025-46731

Source
https://cve.org/CVERecord?id=CVE-2025-46731
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46731.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-46731
Aliases
Related
Published
2025-05-05T19:35:31.347Z
Modified
2026-04-10T05:29:09.327790Z
Severity
  • 7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI
Details

Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access and ALLOW_ADMIN_CHANGES must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/46xxx/CVE-2025-46731.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1336"
    ]
}
References

Affected packages

Git / github.com/craftcms/cms

Affected ranges

Type
GIT
Repo
http://github.com/craftcms/cms
Events
Introduced
daac7c1da2f701f2e9ddee1da1457ce61660b581
Fixed
a17667bd7ba7e69c4eb19eb7d13f039a6904e130
Database specific
{
    "versions": [
        {
            "introduced": "4.0.0-RC1"
        },
        {
            "fixed": "4.14.13"
        }
    ]
}
Type
GIT
Repo
http://github.com/craftcms/cms
Events
Introduced
04755d93f86d07cc183db47db8a0eee106892e30
Fixed
5ad0b36612ad190c841bd55cc05fcebc299ac1d7
Database specific
{
    "versions": [
        {
            "introduced": "5.0.0-RC1"
        },
        {
            "fixed": "5.6.15"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46731.json"

Git / github.com/craftcms/cms

Affected ranges

Type
GIT
Repo
https://github.com/craftcms/cms
Events
Introduced
Fixed
Introduced
Fixed
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "versions": [
        {
            "introduced": "4.1.0"
        },
        {
            "fixed": "4.14.13"
        },
        {
            "introduced": "5.1.0"
        },
        {
            "fixed": "5.6.15"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.0.0-rc1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.0.0-rc2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.0.0-rc3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.0.0-rc1"
        }
    ]
}

Affected versions

0.*
0.9.2063
0.9.2064
0.9.2065
0.9.2068
0.9.2071
0.9.2078
0.9.2079
0.9.2080
0.9.2081
0.9.2083
0.9.2090
0.9.2094
0.9.2100
0.9.2101
0.9.2102
0.9.2103
0.9.2106
0.9.2116
0.9.2117
0.9.2123
0.9.2124
0.9.2146
0.9.2151
0.9.2157
0.9.2167
0.9.2168
0.9.2177
0.9.2181
0.9.2184
0.9.2189
0.9.2193
0.9.2243
0.9.2246
1.*
1.0.0-alpha.2236
1.0.0-alpha.2237
1.0.0-alpha.2238
1.0.0-alpha.2241
1.0.0-alpha.2242
1.0.0-alpha.2244
1.0.0-alpha.2245
1.0.0-alpha.2247
1.0.0-alpha.2248
1.0.0-alpha.2249
1.0.2266
1.1.0-alpha.2283
1.1.0-alpha.2284
1.1.0-alpha.2285
1.1.0-alpha.2288
1.1.2291
1.2.0-alpha.2310
1.2.0-alpha.2312
1.2.0-alpha.2318
1.2.0-alpha.2319
1.2.0-alpha.2322
1.2.0-alpha.2328
1.2.0-alpha.2329
1.2.2333
1.2.2335
1.2.2336
1.2.2339
1.4.0-alpha.2488
1.4.0-alpha.2489
1.4.0-alpha.2490
1.4.0-alpha.2491
1.4.0-alpha.2492
1.4.0-alpha.2493
1.4.0-alpha.2497
1.4.0-alpha.2498
1.4.0-alpha.2499
1.4.0-alpha.2500
1.4.0-alpha.2502
1.4.0-alpha.2503
1.4.0-alpha.2505
1.4.0-alpha.2509
2.*
2.0.2524
2.0.2525
2.0.2527
2.0.2532
2.0.2533
2.0.2535
2.0.2536
2.0.2537
2.0.2538
2.0.2539
2.1.0-alpha.2546
2.1.0-alpha.2547
2.1.0-alpha.2552
2.1.2554
2.1.2555
2.1.2556
2.1.2557
2.2.0-alpha.2578
2.2.2579
2.2.2581
2.3.0-alpha.2600
2.3.0-alpha.2602
2.3.0-alpha.2603
2.3.0-alpha.2605
2.3.0-alpha.2606
2.3.0-alpha.2608
2.3.0-alpha.2610
2.3.0-alpha.2612
2.3.2615
2.3.2616
2.3.2617
3.*
3.0.0-alpha.2671
3.0.0-alpha.2681
3.0.0-alpha.2687
3.0.0-alpha.2915
3.0.0-alpha.2918
3.0.0-alpha.2928
3.0.0-alpha.2933
3.0.0-alpha.2937
3.0.0-alpha.2939
3.0.0-alpha.2942
3.0.0-alpha.2948
3.5.0-RC1
3.5.0-RC1.1
3.5.0-RC2
3.5.0-RC3
3.5.0-RC4
3.5.0-RC5
3.5.0-RC6
3.5.0-beta.1
3.5.0-beta.2
3.5.0-beta.3
4.*
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.10.0-beta.1
4.10.0-beta.2
4.11.0
4.11.0.1
4.11.0.2
4.12.0
4.13.0
4.13.1
4.13.1.1
4.13.10
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.8
4.13.9
4.14.0
4.14.0.1
4.14.0.2
4.14.1
4.14.10
4.14.11
4.14.11.1
4.14.12
4.14.2
4.14.3
4.14.4
4.14.5
4.14.6
4.14.7
4.14.8
4.14.8.1
4.14.9
4.8.10
4.8.11
4.8.6
4.8.7
4.8.8
4.8.9
5.*
5.0.0-RC1
5.0.0-alpha.1
5.0.0-alpha.10
5.0.0-alpha.11
5.0.0-alpha.12
5.0.0-alpha.13
5.0.0-alpha.2
5.0.0-alpha.3
5.0.0-alpha.4
5.0.0-alpha.5
5.0.0-alpha.6
5.0.0-alpha.7
5.0.0-alpha.8
5.0.0-alpha.9
5.0.0-beta.1
5.0.0-beta.10
5.0.0-beta.11
5.0.0-beta.2
5.0.0-beta.3
5.0.0-beta.4
5.0.0-beta.5
5.0.0-beta.6
5.0.0-beta.7
5.0.0-beta.8
5.0.0-beta.9
5.2.0-beta.1
5.2.0-beta.2
5.2.0-beta.3
5.2.0-beta.4
5.2.0-beta.5
5.3.0
5.3.0-beta.1
5.3.0-beta.2
5.3.0.1
5.3.0.2
5.3.0.3
5.4.0
5.5.0
5.5.0.1
5.6.0
5.6.0.1
5.6.0.2
5.6.1
5.6.10
5.6.10.1
5.6.10.2
5.6.11
5.6.12
5.6.13
5.6.14
5.6.2
5.6.3
5.6.4
5.6.5
5.6.5.1
5.6.6
5.6.7
5.6.8
5.6.9
5.6.9.1
@craftcms/sass@1.*
@craftcms/sass@1.0.0
@craftcms/sass@1.0.1
@craftcms/webpack@0.*
@craftcms/webpack@0.0.1
@craftcms/webpack@0.2.0
@craftcms/webpack@0.3.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46731.json"