CVE-2025-6384CRITICAL 9.1EPSS p53.7%

CVE-2025-6384CVE-2025-6384

Description

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution). This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS0.86% probability of exploitation · percentile 53.7% · 2026-06-19T12:03:05Z
Published2025-06-19
Last modified2025-12-16

Underlying weaknesses· 1

CWE-913

References

  1. https://docs.craftercms.org/current/security/advisory.html#cv-2025061901

1

TypeTargetConfidenceTier
WeaknessImproper Control of Dynamically-Managed Code Resourcescwe-9130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-68454
CVE
Craft CMS Code Injection Vulnerability
CVE
CVE-2025-54417
CVE
CVE-2025-0502
CVE
CVE-2026-31857
CVE
CVE-2026-28697
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.