Platform
php
Component
craftcms/cms
Fixed in
5.0.1
4.0.1
5.8.22
CVE-2026-25498 represents a Remote Code Execution (RCE) vulnerability discovered in Craft CMS. Successful exploitation could allow an attacker to execute arbitrary code on a vulnerable system, potentially leading to complete system compromise. This vulnerability affects versions of Craft CMS up to and including 5.8.9. A patch is available in version 5.8.22.
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
Actualice Craft CMS a la versión 5.8.22 o superior. Esta versión contiene la corrección de seguridad para la vulnerabilidad de ejecución remota de código. La actualización se puede realizar a través del panel de control de Craft CMS o mediante Composer.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25498 is a Remote Code Execution (RCE) vulnerability affecting Craft CMS. It allows attackers to potentially execute arbitrary code on a vulnerable system, similar to a previously patched vulnerability but impacting additional endpoints.
You are likely affected if you are running Craft CMS version 5.8.9 or earlier. It's crucial to assess your environment and upgrade to a patched version to mitigate this risk.
Upgrade Craft CMS to version 5.8.22 or later to address this vulnerability. This update includes the necessary fixes to prevent unauthorized code execution.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.