CVE-2025-68454
Published: 05 January 2026
Summary
CVE-2025-68454 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the SSTI vulnerability by applying vendor patches (5.8.21 or 4.16.17) to prevent RCE exploitation.
Information input validation prevents malicious Twig payloads using the map filter from being processed in text fields under Settings or System Messages.
Least privilege limits administrator access to the Craft Control Panel and System Messages utility, reducing the authenticated attack surface for SSTI exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly server-side template injection (SSTI) in the Twig engine enabling authenticated RCE, directly mapping to T1221 (Template Injection). As an exploitable flaw in a public-facing web application (Craft CMS control panel), it maps to T1190 (Exploit Public-Facing Application).
NVD Description
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via Twig SSTI. For this to work, users must have administrator access to the Craft Control…
more
Panel, and allowAdminChanges must be enabled, which is against Craft CMS' recommendations for any non-dev environment. Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Deeper analysisAI
CVE-2025-68454 affects Craft CMS, a platform for creating digital experiences, in versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. The vulnerability enables potential authenticated remote code execution (RCE) through server-side template injection (SSTI) in the Twig templating engine, classified under CWE-1336 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires an authenticated attacker with administrator access to the Craft Control Panel where the allowAdminChanges setting is enabled, though this is against Craft CMS recommendations for non-development environments. Alternatively, a non-administrator account with access to the System Messages utility suffices. Attackers can craft a malicious payload leveraging the Twig `map` filter within text fields that accept Twig input, such as those under Settings in the control panel or the System Messages utility, resulting in RCE.
Craft CMS advisories recommend updating to the patched releases—version 5.8.21 for the 5.x series and 4.16.17 for the 4.x series—to mitigate the issue. Details are available in the project's changelog at https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04, the fixing commit at https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe, and the GitHub security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-742x-x762-7383.
Details
- CWE(s)