CVE-2025-32432

Analyzed
Published: 25 Apr 2025, 15:04
Last modified:21 Mar 2026, 04:00

Vulnerability Summary

Overall Risk (default)
critical
90/100
CVSS Score
10 CRITICAL
v3.1 (cve.org)
EPSS Score
89.44% CRITICAL
89% probability +10.38%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected

Timeline

25 Apr 2025, 15:04
Published
Vulnerability first disclosed
20 Mar 2026, 00:00
Added to CISA KEV
Craft CMS Code Injection Vulnerability
21 Mar 2026, 04:00
Last Modified
Vulnerability information updated
03 Apr 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

CVSS Metrics

  • v3.1CRITICALScore: 10CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
  • v3.1CRITICALScore: 10CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 89.44% Percentile: 100%

Techniques & Countermeasures

  • CWE-94Improper Control of Generation of Code ('Code Injection')

    The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Affected Systems

  • craftcmscms

    ≥ 3.0.0-RC1, < 3.9.15 | ≥ 4.0.0-RC1, < 4.14.15 | ≥ 5.0.0-RC1, < 5.6.17

  • craftcmscraft_cms

    ≥ 3.0.0, < 3.9.15 | ≥ 4.0.0, < 4.14.15 | ≥ 5.0.0, < 5.6.17

References (7)