We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-32432

Craft CMS Allows Remote Code Execution



Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

Reserved 2025-04-08 | Published 2025-04-25 | Updated 2025-04-29 | Assigner GitHub_M


CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

>= 3.0.0-RC1, < 3.9.15
affected

>= 4.0.0-RC1, < 4.14.15
affected

>= 5.0.0-RC1, < 5.6.17
affected

References

github.com/...ms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3

github.com/...ommit/e1c85441fa47eeb7c688c2053f25419bc0547b47

github.com/craftcms/cms/blob/3.x/CHANGELOG.md

github.com/craftcms/cms/blob/4.x/CHANGELOG.md

github.com/craftcms/cms/blob/5.x/CHANGELOG.md

cve.org (CVE-2025-32432)

nvd.nist.gov (CVE-2025-32432)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-32432

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.