CVE-2025-32432 CRITICAL

CVE-2025-32432: Craft CMS Allows Remote Code Execution

Vendor Craftcms
Product cms
Weakness CWE-94 · Code injection
KEV Status Known Exploited
Published April 25, 2025
Last update March 21, 2026
View on NVD All CVEs

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

April 25, 2025 CVE published
March 21, 2026 Record updated

Related vulnerabilities

05Related CVE

CVE-2023-0022 Code Injection vulnerability in SAP BusinessObjects Business Intelligence platform (Analysis edition for OLAP) CVE-2023-28793 Heap Based Buffer Overflow in Library CVE-2023-39956 Electron: Out-of-package code execution when launched with arbitrary cwd CVE-2026-42785 OpenKM 6.3.12 Remote Code Execution via Administrative Scripting CVE-2026-29075 Mesa: Checking out of untrusted code in `benchmarks.yml` workflow may lead to code execution in privileged runner