Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XCraftcms Craft Cms
APPCraftcms3.0.0 – 3.9.14 (bez)4.0.0 – 4.13.2 (bez)5.0.0 – 5.5.2 (bez)
CISA KEV — detailsi
- Vendori
- Craft CMS
- Producti
- Craft CMS
- Added to KEVi
- June 2, 2025
- Remediation deadline (US Federal)i
- June 23, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.
Related vulnerabilities
Krytyczny RCE w Craft CMS — zdalne wykonanie kodu bez uwierzytelnienia
Craft CMS: RCE przez SSTI w polach szablonów Twig
Craft CMS: obejście bloklisty PHP w silniku Twig umożliwia RCE
SQL injection w Craft CMS przez endpoint GraphQL API
Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector....