Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue.

Remediation

References

CVE-2025-23209

Related Vulnerabilities

TYPO3 Deserialization of Untrusted Data Vulnerability (CVE-2019-19849)

Resin Application Server Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-2969)

WordPress 4.2.x Multiple Vulnerabilities (4.2 - 4.2.21)

Artifactory Insufficiently Protected Credentials Vulnerability (CVE-2018-1000424)

WordPress Plugin N5 Upload Form Arbitrary File Upload (1.0)

Severity

High

Classification

CVE-2025-23209 CWE-94 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities