A serious security vulnerability affecting the Craft content management system (CMS) has been documented by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in its Known Exploited Vulnerabilities (KEV) registry, following indications of ongoing exploitation.
The specific weakness identified is CVE-2025-23209 (CVSS score: 8.1), which affects Craft CMS versions 4 and 5. This issue was resolved by the