Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.
The vulnerability classified as CWE-94 (code injection) allows an unauthenticated attacker to remotely execute arbitrary code on the server hosting Craft CMS. The attack is characterized by low complexity and requires no user interaction or possession of an account in the system. This is an additional patch for the previously reported CVE-2023-41892 vulnerability, indicating incomplete removal of the original attack vector.
Attackers can remotely execute arbitrary code on the server, which in practice means complete takeover of the application and potentially the entire system, data theft, backdoor installation, or further lateral movement in the network.
Craft CMS must be immediately updated to version 3.9.15, 4.14.15, or 5.6.17 (released 2025-04-10). Due to active exploitation in production environments, the update should be treated as urgent and performed immediately.
Craft CMS in versions: 3.0.0-RC1 through before 3.9.15, 4.0.0-RC1 through before 4.14.15, and 5.0.0-RC1 through before 5.6.17
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:LCraftcms Craft Cms
APPCraftcms3.0.0 – 3.9.15 (bez)4.0.0 – 4.14.15 (bez)5.0.0 – 5.6.17 (bez)
CISA KEV — detailsi
- Vendori
- Craft CMS
- Producti
- Craft CMS
- Added to KEVi
- March 20, 2026
- Remediation deadline (US Federal)i
- April 3, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.
Related vulnerabilities
RCE w Craft CMS przez nieprawidłową konfigurację register_argc_argv
Craft CMS: RCE przez SSTI w polach szablonów Twig
Craft CMS: obejście bloklisty PHP w silniku Twig umożliwia RCE
SQL injection w Craft CMS przez endpoint GraphQL API
Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector....