CVE-2025-32432

🗓️ 25 Apr 2025 15:04:06Reported by GitHub_MType

cve🔗 web.nvd.nist.gov📰️ 22 Media mentions👁 399 Views🌐 WEB

Craft CMS versions expose remote code execution risk. Patched in recent updates.

Reporter	Title	Published	Views	Family All 41
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	23 Sep 202506:23	–	githubexploit
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	16 Jul 202509:23	–	githubexploit
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	15 May 202614:09	–	githubexploit
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	8 Mar 202616:59	–	githubexploit
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	30 Apr 202603:38	–	githubexploit
GithubExploit	Exploit for Code Injection in Craftcms Craft_Cms	27 Apr 202508:50	–	githubexploit
ATTACKERKB	CVE-2024-58136	10 Apr 202500:00	–	attackerkb
ATTACKERKB	CVE-2025-32432	25 Apr 202515:15	–	attackerkb
Circl	CVE-2025-32432	25 Apr 202515:45	–	circl
CISA KEV Catalog	Yiiframework Yii Improper Protection of Alternate Path Vulnerability	2 May 202500:00	–	cisa_kev

NVD

Vulners

Node

craftcms craft_cmsRange3.0.0–3.9.15

craftcms craft_cmsRange4.0.0–4.14.15

craftcms craft_cmsRange5.0.0–5.6.17

[
  {
    "vendor": "craftcms",
    "product": "cms",
    "versions": [
      {
        "version": ">= 3.0.0-RC1, < 3.9.15",
        "status": "affected"
      },
      {
        "version": ">= 4.0.0-RC1, < 4.14.15",
        "status": "affected"
      },
      {
        "version": ">= 5.0.0-RC1, < 5.6.17",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/craftcms/cms/blob/3.x/CHANGELOG.md
github	www.github.com/craftcms/cms/commit/e1c85441fa47eeb7c688c2053f25419bc0547b47
github	www.github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
github	www.github.com/craftcms/cms/blob/5.x/CHANGELOG.md
github	www.github.com/craftcms/cms/blob/4.x/CHANGELOG.md
sensepost	www.sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
cisa	www.cisa.gov/known-exploited-vulnerabilities-catalog

Parameter	Position	Path	Description	CWE
assetId	request body	actions/assets/generate-transform	Pre-auth RCE via deserialization in assets/generate-transform using Yii PhpManager gadget chain.	CWE-94
handle.width	request body	actions/assets/generate-transform	Pre-auth RCE via deserialization in assets/generate-transform using Yii PhpManager gadget chain.	CWE-94
handle.height	request body	actions/assets/generate-transform	Pre-auth RCE via deserialization in assets/generate-transform using Yii PhpManager gadget chain.	CWE-94
handle.as hack.class	request body	actions/assets/generate-transform	Pre-auth RCE via deserialization in assets/generate-transform using Yii PhpManager gadget chain.	CWE-94
__class	request body	actions/assets/generate-transform	Pre-auth RCE via deserialization in assets/generate-transform using Yii PhpManager gadget chain.	CWE-94
__construct()	request body	actions/assets/generate-transform	Pre-auth RCE via deserialization in assets/generate-transform using Yii PhpManager gadget chain.	CWE-94
itemFile	request body	actions/assets/generate-transform	Pre-auth RCE via deserialization in assets/generate-transform using Yii PhpManager gadget chain.	CWE-94
p	query param	index.php	Session poisoning via injection through query parameter a to admin/dashboard to poison PHP session file.	CWE-94
a	query param	index.php	Session poisoning via injection through query parameter a to admin/dashboard to poison PHP session file.	CWE-94

20 Mar 2026 19:14Current

9.7High risk

Vulners AI Score9.7

CVSS 3.110

EPSS0.92897

SSVC