Base Score

HIGH7.2

CVE-2025-57811

Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateAug 25, 2025, 18:15

Affected Versions(2)

craftcms/cms(Packagist)

Introduced4.0.0-RC1

Fixed4.16.6

LimitN/A

craftcms/cms(Packagist)

Introduced5.0.0-RC1

Fixed5.8.7

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
craftcms/cms(Packagist)	4.0.0-RC1	4.16.6	N/A
craftcms/cms(Packagist)	5.0.0-RC1	5.8.7	N/A

Weakness Type (CWE):CWE-1336

CVSS Metrics

Base Score

6.1

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

Base Score

HIGH7.2

Weakness Type (CWE):CWE-1336

CVSS Metrics

Base Score

6.1

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)