CVE-2025-23209 — Craft CMS Craft CMS

Craft CMS Code Injection Vulnerability

Added to KEV

2025-02-20

Federal due date

2025-03-13

Vendor

Craft CMS

Product

Craft CMS

EPSS

95.0th percentile (score 0.164, as of 2026-06-08)

NVD CVSS v3.1

—

Ransomware use

Unknown

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2025-23209

CISA short description

Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.

Required action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.