Description

Invicti has identified that Craft CMS is vulnerable to remote code execution due to a flaw in the underlying Yii2 framework (CVE-2024-4990)

Remediation

Upgrade to the latest version of Craft CMS

References

Craft CMS and CVE-2025-32432

Investigating an in-the-wild campaign using RCE in CraftCMS

Related Vulnerabilities

GeoServer WMS SSRF (CVE-2023-43795)

Jenkins Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-2600)

XWikiplatform Other Vulnerability (CVE-2025-32783)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-20183)

Python Improper Restriction of XML External Entity Reference Vulnerability (CVE-2022-48565)

Severity

Critical

Classification

CVE-2025-32432 CWE-470 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities