CVE-2025-23209HIGH 8.1CISA KEVEPSS p89.5%

CVE-2025-23209Craft CMS Code Injection Vulnerability

Craft CMS / Craft CMS

Description

Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS4.13% probability of exploitation · percentile 89.5% · 2026-06-18T12:00:27Z
Published2025-01-18
Last modified2025-10-24

CISA KEV entry

Added to KEV: 2025-02-20

Underlying weaknesses· 1

CWE-94

References

  1. https://craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secret
  2. https://github.com/craftcms/cms/commit/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603
  3. https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x
  4. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryCraft CMS Code Injection Vulnerabilitykev-cve-2025-232090%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-54417
CVE
CVE-2026-0805
CVE
CVE-2025-68456
CVE
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
CVE
CVE-2025-6384
CVE
CVE-2026-28697
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.