{"id":"CVE-2025-32432","summary":"Craft CMS Allows Remote Code Execution","details":"Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.","aliases":["GHSA-f3gw-9ww9-jmc3"],"modified":"2026-04-10T05:25:10.157270Z","published":"2025-04-25T15:04:06.272Z","database_specific":{"cwe_ids":["CWE-94"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32432.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/craftcms/cms/blob/3.x/CHANGELOG.md#3915---2025-04-10-critical"},{"type":"WEB","url":"https://github.com/craftcms/cms/blob/4.x/CHANGELOG.md#41415---2025-04-10-critical"},{"type":"WEB","url":"https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5617---2025-04-10-critical"},{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32432"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32432.json"},{"type":"ADVISORY","url":"https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32432"},{"type":"FIX","url":"https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47"},{"type":"EVIDENCE","url":"https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"c269bee9d8e7def9470b2e41d0a5b09c08c7f594"},{"fixed":"9e2781f26f5972aaba333f20b07b33514ce84c03"}],"database_specific":{"versions":[{"introduced":"3.0.0-RC1"},{"fixed":"3.9.15"}]}},{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"daac7c1da2f701f2e9ddee1da1457ce61660b581"},{"fixed":"84bda0c406cea052bdf6cd30b44a60e52757f9ee"}],"database_specific":{"versions":[{"introduced":"4.0.0-RC1"},{"fixed":"4.14.15"}]}},{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"04755d93f86d07cc183db47db8a0eee106892e30"},{"fixed":"19ce0bab651ab52c7b394f5f4a2ed0621ba90bd7"}],"database_specific":{"versions":[{"introduced":"5.0.0-RC1"},{"fixed":"5.6.17"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32432.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L"}]}