CVE-2025-23209

CISA KEV

Published February 20, 2025 · Updated April 3, 2026

high

Official Description+

Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.

Affected Products

Vendor	Product
Craft CMS	Craft CMS

Patch Status

Patch by 2025-03-13

Recommended Actions

Check if your systems use any of the affected products listed above.
Apply vendor patches immediately if available.
This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
Monitor vendor advisories for updates and additional mitigations.
Review logs for indicators of compromise related to CVE-2025-23209.