Potential Remote Code Execution via Twig SSTI

High

angrybrad published GHSA-7c58-g782-9j38

May 5, 2025

Package

craftcms/cms (Composer)

Affected versions

>= 4.0.0-RC1, <= 4.14.12

>= 5.0.0-RC1, <= 5.6.14

Patched versions

4.14.13

5.6.15

Description

You must have administrator access and ALLOW_ADMIN_CHANGES must be enabled for this to work.

https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production

Note: This is a follow-up to GHSA-f3cw-hg6r-chfv

Users should update to the patched versions (4.14.13 and 5.6.15) to mitigate the issue.

References