VYPR
← All advisories
Critical severityNVD Advisory· Published Aug 27, 2025· Updated Aug 27, 2025

CVE-2025-52122

CVE-2025-52122

Description

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-52122 is an SSTI vulnerability in CraftCMS Freeform 5.0.0 to before 5.10.16, allowing users with form editing access to inject arbitrary server-side code via the submission title field.

Vulnerability

CVE-2025-52122 is a server-side template injection (SSTI) vulnerability in the Freeform plugin for CraftCMS, affecting versions 5.0.0 through before 5.10.16 [1][3]. The root cause is that Freeform implements the Twig call filter without properly validating user input, allowing untrusted data to be rendered as a Twig template [3][4].

Exploitation

An attacker with access to edit a form (i.e., can set the submission title) can craft a malicious Twig expression that gets evaluated server-side. For example, using {{ 'system' | call('curl ...') }} executes an arbitrary system command [3][4]. The attack requires the attacker to have permissions to modify the form's submission title setting, and then submit the form or have it submitted by a user [3].

Impact

Successful exploitation allows arbitrary code injection on the server, leading to full compromise of the CraftCMS site. The attacker can execute system commands, exfiltrate data, or further pivot within the infrastructure [1][3].

Mitigation

The vulnerability is fixed in Freeform version 5.10.16. Users should immediately upgrade to this patched version. No workarounds are described, and the vendor has addressed the issue in the referenced commit [3][4].

References
  1. NVD - CVE-2025-52122
  2. GitHub - TimTrademark/CVE-2025-52122: Arbitrary code injection in CraftCMS Freeform 5.0.0 < 5.10.16
  3. GitHub - TimTrademark/CVE-2025-52122: Arbitrary code injection in CraftCMS Freeform 5.0.0 < 5.10.16

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
solspace/craft-freeformPackagist
>= 5.0.0, < 5.10.165.10.16

Affected products

1
  • CraftCMS/Freeformdescription

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.