Skip to main content

Craft Cms CVE-2024-56145

CRITICAL
Code Injection (CWE-94)
2024-12-18 security-advisories@github.com
9.3
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (github) · only source for this CVE.

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Added to CISA KEV
Jul 14, 2026 - 04:22 CISA
CVE Published
Dec 18, 2024 - 21:15 cve.org
CRITICAL 9.3

DescriptionCVE.org

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has register_argc_argv enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable register_argc_argv to mitigate the issue.

AnalysisAI

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has register_argc_argv enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable register_argc_argv to mitigate the issue. Affected products include: Craftcms Craft Cms. Version information: version 3.9.14.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

CVE-2025-32432 CRITICAL POC
10.0 Apr 25

Craft CMS versions 3.x through 5.x contain a critical remote code execution vulnerability (CVSS 10.0) that allows unauth

CVE-2025-35939 MEDIUM
6.9 May 07

Craft CMS stores arbitrary content provided by unauthenticated users in session files. Rated medium severity (CVSS 6.9),

CVE-2023-41892 CRITICAL POC
9.8 Sep 13

Craft CMS is a platform for creating digital experiences. Rated critical severity (CVSS 9.8), this vulnerability is remo

CVE-2024-37843 CRITICAL POC
9.8 Jun 25

Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. Rated crit

CVE-2020-9757 CRITICAL POC
9.8 Mar 04

The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed

CVE-2026-28697 CRITICAL POC
9.1 Mar 04

RCE in Craft CMS before 4.17.0-beta.1/5.9.0-beta.1 via template injection for authenticated admins. PoC and patch availa

CVE-2025-68456 CRITICAL POC
9.1 Jan 05

Craft CMS (5.0.0-RC1 through 5.8.20, 3.x through 4.16.16) allows unauthenticated users to trigger database backup operat

CVE-2025-68454 HIGH POC
8.8 Jan 05

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 ar

CVE-2026-25495 HIGH POC
8.8 Feb 09

SQL injection in Craft CMS 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 allows authenticated Control Panel use

CVE-2023-30130 HIGH POC
8.8 May 12

An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Sectio

CVE-2022-29933 HIGH POC
8.8 May 09

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the a

CVE-2018-3814 HIGH POC
8.8 Jan 01

Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets->Upload files" screen and

Share

CVE-2024-56145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy