What is the CVSS score of CVE-2024-32641?

CVE-2024-32641 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 1.0%.

Which versions of Masacms are affected by CVE-2024-32641?

Masa CMS installations are vulnerable to unauthenticated remote code execution, allowing attackers to take complete control of affected systems without user interaction.. A patch is available.

Is there a public PoC exploit available for CVE-2024-32641?

Yes, a public proof-of-concept exploit is available for CVE-2024-32641. Prioritise patching immediately. EPSS: 1.0%.

How to fix or mitigate CVE-2024-32641?

Within 24 hours: identify all systems running Masa CMS and determine installed versions (7.2.x, 7.3.x, or 7.4.x prior to patched versions). Within 7 days: apply vendor patches (upgrade to versions 7.2.8, 7.3.13, or 7.4.6) or take affected systems offline. Within 30 days: conduct incident response assessment to determine if systems were compromised during exposure window, review access logs, and implement post-incident security controls.

Masacms CVE-2024-32641

EUVD-2024-30443 CRITICAL

Code Injection (CWE-94)

2025-12-03 security-advisories@github.com

Code Injection RCE Masacms

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 16:14 euvd

EUVD-2024-30443

Analysis Generated

Mar 15, 2026 - 16:14 vuln.today

Patch released

Mar 15, 2026 - 16:14 nvd

Patch available

PoC Detected

Dec 05, 2025 - 14:47 vuln.today

Public exploit code

CVE Published

Dec 03, 2025 - 17:15 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

Masa CMS is an open source Enterprise Content Management platform. Masa CMS versions prior to 7.2.8, 7.3.13, and 7.4.6 are vulnerable to remote code execution. The vulnerability exists in the addParam function, which accepts user input via the criteria parameter. This input is subsequently evaluated by setDynamicContent, allowing an unauthenticated attacker to execute arbitrary code via the m tag. The vulnerability is patched in versions 7.2.8, 7.3.13, and 7.4.6.

Analysis

Technical ContextAI

Remote code execution allows an attacker to run arbitrary commands or code on the target system over a network without prior authentication. This vulnerability is classified as Code Injection (CWE-94).

RemediationAI

A vendor patch is available — apply it immediately. Apply vendor patches immediately. Restrict network access to vulnerable services. Implement network segmentation and monitoring for anomalous activity.

CVE-2024-32641 vulnerability details – vuln.today

Back

Masacms CVE-2024-32641

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code