Home

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.

PUBLISHED Reserved 2024-12-16 | Published 2024-12-18 | Updated 2025-10-21 | Assigner GitHub_M




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA Known Exploited Vulnerability

Date added 2025-06-02 | Due date 2025-06-23

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

>= 4.0.0-RC1, < 4.13.2
affected

>= 5.0.0-RC1, < 5.5.2
affected

>= 3.0.0, < 3.9.14
affected

References

github.com/Chocapikk/CVE-2024-56145 exploit

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2024-56145 government-resource

github.com/...ms/cms/security/advisories/GHSA-2p6p-9rc9-62j9

github.com/...ommit/82e893fb794d30563da296bca31379c0df0079b3

cve.org (CVE-2024-56145)

nvd.nist.gov (CVE-2024-56145)

Download JSON