Description

Acunetix has identified that Craft CMS is vulnerable to remote code execution due to a flaw in the underlying Yii2 framework (CVE-2024-4990)

Remediation

Upgrade to the latest version of Craft CMS

References

Craft CMS and CVE-2025-32432

Investigating an in-the-wild campaign using RCE in CraftCMS

Related Vulnerabilities

IBM RTC Inadequate Encryption Strength Vulnerability (CVE-2020-4965)

Jenkins Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2013-0327)

TCExam Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2018-13422)

LimeSurvey Improper Restriction of XML External Entity Reference Vulnerability (CVE-2019-16174)

ReviveAdserver Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2016-9127)

Severity

Critical

Classification

CVE-2025-32432 CWE-470 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities