{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-14T23:57:04.626","vulnerabilities":[{"cve":{"id":"CVE-2025-23209","sourceIdentifier":"security-advisories@github.com","published":"2025-01-18T01:15:07.633","lastModified":"2025-10-24T13:59:53.980","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. This is an remote code execution (RCE) vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. Anyone running an unpatched version of Craft with a compromised security key is affected. This vulnerability has been patched in Craft 5.5.8 and 4.13.8. Users who cannot update to a patched version, should rotate their security keys and ensure their privacy to help migitgate the issue."},{"lang":"es","value":"Craft es un CMS flexible y fácil de usar para crear experiencias digitales personalizadas en la web y más allá. Esta es una vulnerabilidad de ejecución remota de código (RCE) que afecta a las instalaciones de Craft 4 y 5 en las que su clave de seguridad ya se ha visto comprometida. Cualquiera que ejecute una versión sin parches de Craft con una clave de seguridad comprometida se ve afectado. Esta vulnerabilidad se ha corregido en Craft 5.5.8 y 4.13.8. Los usuarios que no puedan actualizar a una versión parcheada deben rotar sus claves de seguridad y garantizar su privacidad para ayudar a mitigar el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:N\/AC:H\/PR:L\/UI:R\/S:C\/C:H\/I:H\/A:H","baseScore":8.0,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.3,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"cisaExploitAdd":"2025-02-20","cisaActionDue":"2025-03-13","cisaRequiredAction":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","cisaVulnerabilityName":"Craft CMS Code Injection Vulnerability","weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-94"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*","versionStartExcluding":"4.0.0","versionEndExcluding":"4.13.8","matchCriteriaId":"A969ACE2-4C09-452A-B9BD-113CA9A4FF30"},{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*","versionStartExcluding":"5.0.0","versionEndExcluding":"5.5.8","matchCriteriaId":"8DBFB276-7508-492E-ACBA-A229E869A831"},{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*","matchCriteriaId":"610F6DE9-720F-45B3-81D5-18E7F6B090FD"},{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*","matchCriteriaId":"CC2F40FC-7C27-456A-B16D-679410D1D5CF"},{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*","matchCriteriaId":"FBAA8227-04F8-404C-907B-B0162B325F5A"},{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*","matchCriteriaId":"21B28E2C-327A-4CE6-ACAD-97E459712A55"},{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*","matchCriteriaId":"1C7461CF-35AB-48E1-88B6-956DAE1D2AB4"},{"vulnerable":true,"criteria":"cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*","matchCriteriaId":"8D8E02D1-601A-4E2B-B619-4775BFDB72D0"}]}]}],"references":[{"url":"https:\/\/craftcms.com\/knowledge-base\/securing-craft#keep-your-secrets-secret","source":"security-advisories@github.com","tags":["Product"]},{"url":"https:\/\/github.com\/craftcms\/cms\/commit\/e59e22b30c9dd39e5e2c7fe02c147bcbd004e603","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https:\/\/github.com\/craftcms\/cms\/security\/advisories\/GHSA-x684-96hh-833x","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-23209","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["US Government Resource"]}]}}]}