← Back

CVE-2025-32432

nvd nistnuclei
Published: Apr 25, 2025Modified: Mar 20, 2026CISA KEV

JSON object

Loading...
10.0
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 6.0
Source: NVD

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

Affected (3)

Products: Craftcms: Craft Cms
Craftcms
1 product
Craft Cms
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Craftcms
Craft Cms
From 3.0.0 to 3.9.15
Craft Cms
From 4.0.0 to 4.14.15
Craft Cms
From 5.0.0 to 5.6.17

Related CWEs

CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (7)

Source: security-advisories@github.com
Release NotesProduct
Source: security-advisories@github.com
ProductRelease Notes
Source: security-advisories@github.com
ProductRelease Notes
Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Vendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitPress/Media Coverage
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource

Timeline

No history available yet.