CVE-2025-23209: Craft CMS RCE via Twig SSTI

Score: 8
HIGH
Published: 2025-02-20Affected: Craft CMS 4.x < 4.13.8, 5.x < 5.5.5CWE-94 β†—

Is Craft CMS vulnerable to code execution?

A code injection vulnerability in Craft CMS via server-side template injection (SSTI) in Twig templates. Attackers who obtain the application secret key can execute arbitrary code through crafted template injection payloads.

Impact & Exploitation

Added to CISA KEV. Craft CMS powers over 150,000 websites. Combined with information disclosure vulnerabilities, enables full RCE chain without authentication.

Related Resources

πŸ” Related CWE Entries

πŸ“‹ OWASP Top 10

πŸ“– Security Guides

πŸ›‘οΈ Notable Vulnerabilities

πŸ”— External References

Precogs Logo

Precogs Research

This vulnerability intelligence report was analyzed and enriched by the Precogs AI Security Team. Our researchers continuously monitor emerging threats across AI code, LLM pipelines, and binary architectures to ensure accurate real-time remediation guidance.

Base Score

CVSS8
SeverityHIGH
CWECWE-94
Published2025-02-20

Tags

cmssstirceweb

Quick Links

Is your system affected?

Precogs AI detects Craft CMS RCE via Twig SSTI in compiled binaries and firmware β€” even without source code.

Request Deep Analysis

Is Your System Still Exposed to Critical CVEs?

Vulnerabilities like CVE-2025-23209 Craft CMS RCE via Twig SSTI don’t just exist in source code β€” they persist in compiled binaries, containers, and embedded systems. Precogs AI detects vulnerable components across your entire stack β€” even when source code isn’t available.

Request Deep AnalysisBook a demo