CVE-2025-23209 - Craft CMS Code Injection Vulnerability

Project:Craft CMS

Product:Craft CMS

Date Added:2025-02-20Due Date:2025-03-13

Vulnerability Name

Craft CMS Code Injection Vulnerability

Description

Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://github.com/craftcms/cms/security/advisories/GHSA-x684-96hh-833x

https://nvd.nist.gov/vuln/detail/CVE-2025-23209

Latest CVE List

Common Alerts

LowCross-Domain JavaScript Source File Inclusion
LowStrict-Transport-Security Defined via META (Non-compliant with Spec)
InformationalBase64 Disclosure
LowCookie No HttpOnly Flag
HighSQL Injection - Oracle
LowInformation Disclosure - Sensitive Information in Browser sessionStorage
InformationalStorable and Cacheable Content
InformationalAuthentication Request Identified
LowFull Path Disclosure
HighExternal Redirect