Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
Description
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 allow authenticated RCE via Twig SSTI using the `map` filter in admin settings or System Messages.
Vulnerability
Overview
Craft CMS versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to authenticated Remote Code Execution (RCE) via Server-Side Template Injection (SSTI) in the Twig templating engine [1]. The root cause is insufficient sanitization of user-supplied Twig input in text fields that accept Twig code, specifically when using the map filter within the Craft control panel's Settings or the System Messages utility [1][4].
Exploitation
Prerequisites
Exploitation requires either an administrator account with allowAdminChanges enabled (which is discouraged in production) or a non-administrator account with access to the System Messages utility [1]. An attacker can craft a malicious payload using the Twig map filter to inject arbitrary Twig code, which is then executed by the server [1][4]. The attack surface is limited to authenticated users with specific privileges, but the impact is severe.
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary PHP code on the server, leading to full compromise of the Craft CMS installation [1]. This could result in data theft, site defacement, or further lateral movement within the hosting environment.
Mitigation
The vulnerability has been patched in versions 5.8.21 and 4.16.17 [1][2]. Users are strongly advised to update immediately. As a workaround, administrators should ensure allowAdminChanges is disabled in production environments and restrict access to the System Messages utility to trusted users only [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.8.21 | 5.8.21 |
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.16.17 | 4.16.17 |
Affected products
2Patches
12 files changed · +3 −1
CHANGELOG.md+1 −1 modified@@ -6,7 +6,7 @@ - Fixed an error that could occur when executing a GraphQL mutation when the `lazyGqlTypes` config setting was enabled. ([#18014](https://github.com/craftcms/cms/issues/18014)) - Fixed a PHP error that could occur when creating a username that began or ended with an `@`. ([#18123](https://github.com/craftcms/cms/pull/18123)) - Fixed a bug where assets with disallowed file extensions could be stored in the system’s temp directory. ([#18049](https://github.com/craftcms/cms/pull/18049)) -- Fixed an RCE vulnerability. (GHSA-255j-qw47-wjh5) +- Fixed RCE vulnerabilities. (GHSA-255j-qw47-wjh5, GHSA-742x-x762-7383) ## 4.16.16 - 2025-11-18
src/web/twig/Extension.php+2 −0 modified@@ -1221,6 +1221,8 @@ public function filterFilter(TwigEnvironment $env, iterable $arr, ?callable $arr */ public function groupFilter(iterable $arr, callable|string $arrow): array { + self::checkArrowFunction($arrow, 'group', 'filter'); + $groups = []; if (!is_string($arrow) && is_callable($arrow)) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-742x-x762-7383ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68454ghsaADVISORY
- github.com/craftcms/cms/blob/5.x/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebeghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.