Cyber Resilience

CVE-2023-32679

HighPublic PoC

Published: 19 May 2023

Published
19 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0643 91.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32679 is a high-severity Injection (CWE-74) vulnerability in Craftcms Craft Cms. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Craft CMS, an open source content management system, contains a flaw in the View.php component where the doesTemplateExist() method calls resolveTemplate() and ultimately _resolveTemplateInternal() without verifying file extensions when the supplied name parameter is a non-empty string. This allows arbitrary extension files to be processed as Twig templates, resulting in remote code execution on affected versions prior to 4.4.6. The vulnerability is tracked as CWE-74 and carries a CVSS 3.1 score of 7.2.

An attacker with administrative privileges can exploit the issue in development environments or in staging or production instances that lack proper configuration hardening. Successful exploitation permits arbitrary code execution that can extend to full access on the underlying host operating system.

The official Craft CMS advisory states that the issue is resolved in version 4.4.6 and recommends immediate upgrade; no workarounds are documented.

EPSS for this CVE rose from a low baseline to a peak of 0.2927 on 2025-12-11 before receding to the current value of 0.0643, indicating that exploitation interest emerged after public disclosure and that the vulnerability merits renewed attention.

EU & UK References

Vulnerability details

Craft CMS is an open source content management system. In affected versions of Craft CMS an unrestricted file extension may lead to Remote Code Execution. If the name parameter value is not empty string('') in the View.php's doesTemplateExist() -> resolveTemplate()…

more

-> _resolveTemplateInternal() -> _resolveTemplate() function, it returns directly without extension verification, so that arbitrary extension files are rendered as twig templates. When attacker with admin privileges on a DEV or an improperly configured STG or PROD environment, they can exploit this vulnerability to remote code execution. Code execution may grant the attacker access to the host operating system. This issue has been addressed in version 4.4.6. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

craftcms
craft cms
4.0.0 — 4.4.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References