Craft CMS contains a potential remote code execution vulnerability via Twig SSTI. You must have administrator access and ALLOW_ADMIN_CHANGES
must be enabled for this to work.
https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production
Note: This is a follow-up to https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv
Users should update to the patched versions (4.14.13 and 5.6.15) to mitigate the issue.
https://github.com/craftcms/cms/pull/17026
{ "nvd_published_at": "2025-05-05T20:15:21Z", "cwe_ids": [ "CWE-1336" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-05-05T19:35:37Z" }