Cyber Resilience

CVE-2025-46731

High

Published: 05 May 2025

Published
05 May 2025
Modified
03 September 2025
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0091 76.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-46731 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Craftcms Craft Cms. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Template Injection (T1221); ranked in the top 23.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Craft is a content management system. Versions of Craft CMS on the 4.x branch prior to 4.14.13 and on the 5.x branch prior to 5.6.16 contains a potential remote code execution vulnerability via Twig SSTI. One must have administrator access…

more

and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. Users should update to the patched versions 4.14.13 or 5.6.15 to mitigate the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1221 Template Injection Stealth
Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

The vulnerability is a Twig Server-Side Template Injection (SSTI) enabling remote code execution with admin access (T1221: Template Injection). It also facilitates exploitation of a remote web service for code execution (T1210: Exploitation of Remote Services).

Affected Assets

craftcms
craft cms
4.0.0, 5.0.0 · 4.1.0 — 4.14.13 · 5.1.0 — 5.6.15

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References