vulnerability
Craft CMS: CVE-2025-32432: Remote Code Execution via Unsafe Deserialization
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Apr 25, 2025 | Apr 15, 2026 | Apr 15, 2026 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Apr 25, 2025
Added
Apr 15, 2026
Modified
Apr 15, 2026
Description
Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond.
Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17,
Craft is vulnerable to remote code execution. Unauthenticated attackers can exploit remote code execution
vulnerabilities through unsafe deserialization in the asset transform functionality, achieving complete server compromise.
This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17,
and is an additional fix for CVE-2023-41892.
Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17,
Craft is vulnerable to remote code execution. Unauthenticated attackers can exploit remote code execution
vulnerabilities through unsafe deserialization in the asset transform functionality, achieving complete server compromise.
This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17,
and is an additional fix for CVE-2023-41892.
Solution
craft-cms-upgrade-latest
References
- CVE-2025-32432
- https://attackerkb.com/topics/CVE-2025-32432
- https://nvd.nist.gov/vuln/detail/CVE-2025-32432
- https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
- https://github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
- CWE-94
- EUVD-EUVD-2025-12521
- https://euvd.enisa.europa.eu/vulnerability/CVE-2025-32432
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.