Craft Potential Remote Code Execution via Twig SSTI
Description
Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6 are vulnerable to remote code execution via Twig Server-Side Template Injection, a follow-up to CVE-2024-52293.
Vulnerability
Overview
Craft CMS, a platform for creating digital experiences, contains a remote code execution vulnerability arising from Twig Server-Side Template Injection (SSTI). This issue affects versions 4.0.0-RC1 through 4.16.5 and 5.0.0-RC1 through 5.8.6, and is a follow-up to CVE-2024-52293. The root cause involves missing path normalization in the FileHelper::absolutePath function, which can allow an attacker to bypass system directory checks and inject malicious Twig templates [1][3].
Attack
Vector and Prerequisites
The vulnerability can be exploited post-authentication, and requires the ALLOW_ADMIN_CHANGES configuration to be set to true. The missing normalization in FileHelper::absolutePath (in src/helpers/FileHelper.php) leads to security risks, specifically in src/services/Security.php where the isSystemDir method fails to properly recognize paths like ../templates/poc as system directories. This allows an authenticated attacker to write or modify templates in locations that should be restricted, ultimately enabling Twig SSTI [2][3].
Impact
Successful exploitation allows an authenticated attacker with sufficient privileges to achieve remote code execution on the server. By injecting malicious Twig code, the attacker can execute arbitrary PHP functions, potentially leading to full server compromise, data exfiltration, or further internal network attacks.
Mitigation
The vulnerability has been patched in Craft CMS versions 4.16.6 and 5.8.7. Users are strongly advised to upgrade to these patched versions immediately. No workarounds are mentioned in the advisories, but restricting ALLOW_ADMIN_CHANGES and limiting administrative access can reduce the risk [3][1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.16.6 | 4.16.6 |
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.8.7 | 5.8.7 |
Affected products
2Patches
1e77f8a287dcdMerge pull request #17612 from craftcms/bugfix/twig-ssti
2 files changed · +5 −0
CHANGELOG.md+4 −0 modified@@ -1,5 +1,9 @@ # Release Notes for Craft CMS 4 +## Unreleased + +- Fixed an RCE vulnerability. + ## 4.16.4 - 2025-07-08 - Fixed an information disclosure vulnerability.
src/web/twig/Extension.php+1 −0 modified@@ -122,6 +122,7 @@ private static function checkArrowFunction(mixed $arrow, string $thing, string $ 'file_get_contents', 'file_put_contents', 'popen', + 'call_user_func', ]) ) { throw new RuntimeError(sprintf('The "%s" %s does not support passing "%s".', $thing, $type, $arrow));
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-crcq-738g-pqvcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57811ghsaADVISORY
- github.com/craftcms/cms/commit/e77f8a287dcdda41f1724f525d03542f18566cbcghsax_refsource_MISCWEB
- github.com/craftcms/cms/pull/17612ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-crcq-738g-pqvcghsax_refsource_CONFIRMWEB
- github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfvghsaWEB
News mentions
0No linked articles in our index yet.