CVE-2025-52122: 
PHP vulnerability analysis and mitigation

A Server-side template injection (SSTI) vulnerability exists in Freeform, a plugin for CraftCMS, versions 5.0.0 to before 5.10.16. The vulnerability allows arbitrary code injection for users with form editing permissions (NVD, AttackerKB). The vulnerability was disclosed on August 27, 2025.

The vulnerability stems from Freeform's implementation of the "call" Twig filter without proper user input validation. This allows attackers to inject malicious code through the form submission title field. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating its severe nature. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) (NVD).

The vulnerability allows attackers to execute arbitrary system commands through template injection. This can lead to complete system compromise, as demonstrated by the ability to execute arbitrary curl commands to external servers (GitHub POC).

Users should upgrade to Freeform version 5.10.16 or later, which contains a fix for this vulnerability. The fix implements proper validation of user input for the Twig filter (GitHub POC).