References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-470

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04

https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7

https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef

https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593

https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5