CVE Tracker

CVE ID	Severity	EPSS	Vendor	Description	Date	Status
CVE-2025-32432(2)	High	87.7%	Craft CMSCraft CMS	Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.	Mar 20, 2026	KEV
CVE-2025-35939	High	30.1%	Craft CMSCraft CMS	Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.	Jun 2, 2025	KEV
CVE-2024-56145	High	93.8%	Craft CMSCraft CMS	Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.	Jun 2, 2025	KEV
CVE-2024-58136	High	59.3%	YiiframeworkYii	Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432.	May 2, 2025	KEV
CVE-2025-23209	High	19.1%	Craft CMSCraft CMS	Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.	Feb 20, 2025	KEV

CVE-2025-32432KEV

High

Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.

Craft CMSEPSS 87.7%

CVE-2025-35939KEV

High

Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.

Craft CMSEPSS 30.1%

CVE-2024-56145KEV

High

Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.

Craft CMSEPSS 93.8%

CVE-2024-58136KEV

High

Yii Framework contains an improper protection of alternate path vulnerability that may allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432.

YiiframeworkEPSS 59.3%

CVE-2025-23209KEV

High

Craft CMS contains a code injection vulnerability caused by improper validation of the database backup path, ultimately enabling remote code execution.

Craft CMSEPSS 19.1%