CVE-2025-52122

Published August 27th, 2025

View on NVD ↗

CVSS v3

9.8

CRITICAL

CVSS v2

N/A

Affected

PROJECT

Description

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title).

TimTrademark/CVE-2025-52122

Arbitrary code injection in CraftCMS Freeform 5.0.0 < 5.10.16

GitHub