AIKIDO-2025-10004
craftcms/cms is vulnerable to Remote Code Execution (RCE)
70
High Risk
This Affects:
craftcms/cmsTL;DR
Affected versions of this package are affected by Remote Code Execution due to a validation bypass in the update workflow via an insecure handle of a user-controlled input when initiating the DB restoring process. An attacker can take advantage of this vulnerability to execute arbitrary code or retrieve critical information.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
craftcms/cms is vulnerable to Remote Code Execution (RCE) in versions 5.0.0 - 5.5.7, 4.0.0 - 4.13.7 and 3.0.0 - 3.9.13.
How to fix this
Upgrade the craftcms/cms library to the patch version.
Links
Other
github.com/craftcms/cms/blob/5.x/CHANGELOG.md
craftcms.com/knowledge-base/securing-craft#keep-your-secrets-secretcisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant