GHSA-CRCQ-738G-PQVC Craft CMS Potential Remote Code Execution via Twig SSTI

Note that users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craftset-allowAdminChanges-to-false-in-productio...

PT-2025-19793 · Craft Cms · Craft Cms

Name of the Vulnerable Software and Affected Versions: Craft CMS versions 4.0.0-RC1 through 4.14.12 Craft CMS versions 5.0.0-RC1 through 5.6.15 Description: Craft is a content management system that contains a potential remote code execution vulnerability via Twig SSTI. This issue can be exploite...