Craft CMS Remote Code Execution Vulnerability Fixed
Summary
CISA has updated its Known Exploited Vulnerabilities (KEV) catalog to include CVE-2025-32432, a critical remote code execution vulnerability in Craft CMS. The vulnerability affects versions 3.x, 4.x, and 5.x and has been patched by the vendor. Organizations are urged to update their Craft CMS instances to the latest versions to mitigate this risk.
What changed
CISA has added CVE-2025-32432 to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability is a critical remote code execution flaw in Craft CMS, affecting versions 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17. The vulnerability has a CVSS score of 10.0 and is categorized under CWE-94: Improper Control of Generation of Code ('Code Injection'). This is an additional fix for CVE-2023-41892.
Organizations utilizing Craft CMS must update their installations to the patched versions (3.9.15, 4.14.15, or 5.6.17) immediately to prevent exploitation. Failure to do so could lead to unauthorized code execution on affected systems, posing a significant security risk. The KEV catalog indicates active exploitation, underscoring the urgency of this remediation.
What to do next
- Update Craft CMS to versions 3.9.15, 4.14.15, or 5.6.17
- Review systems for signs of compromise related to CVE-2025-32432
Source document (simplified)
Required CVE Record Information
CNA: GitHub (maintainer security advisories)
Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
CWE 1 Total
Learn more
- CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 10.0 | CRITICAL | 3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L |
Product Status
Learn more Versions 3 Total
Default Status: unknown
affected
affected at >= 3.0.0-RC1, < 3.9.15
affected at >= 4.0.0-RC1, < 4.14.15
affected at >= 5.0.0-RC1, < 5.6.17
References 5 Total
- github.com: https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
- github.com: https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
- github.com: https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical
- github.com: https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical
- github.com: https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical
Authorized Data Publishers
CISA-ADP
Updated:
2026-03-20
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2026-03-20 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432 (2026-03-20)
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Data Privacy & Cybersecurity alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CISA ICS-CERT Advisories publishes new changes.