CVE-2025-23209
Craft CMS Code Injection Vulnerability
CVSS
—
No CVSS
EPSS
4.7%
p91
KEV
YES
Feb 20, 2025
Exploit Today
77
0-100
Published: — · Last modified: —
4.7%EPSS · 30 days4.7%
2026-06-302026-07-16
Product
Craft CMS / Craft CMS
Vulnerability
Craft CMS Code Injection Vulnerability
Added to KEV
Feb 20, 2025
Remediate by
Mar 13, 2025
Known ransomware use
No
Summary description
Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes
https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x ; https://nvd.nist.gov/vuln/detail/CVE-2025-23209