Is CVE-2025-32432 actively exploited?

CVE-2025-32432 has no public evidence of in-the-wild exploitation as of 2025-04-28.

What is the CVSS score for CVE-2025-32432?

CVE-2025-32432 has a CVSS score of 10 (CRITICAL severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L.

How do I patch CVE-2025-32432?

Patch guidance is available from craftcms security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2025-32432.

Fix CVE-2025-32432 - CRITICAL craftcms craft cms

Q: Which products are affected by CVE-2025-32432?

3 products: craftcms craft cms, craftcms craft cms, craftcms craft cms.

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity attack vector. This issue has been patched in versions 3.9.15, 4.14.15, and 5.6.17, and is an additional fix for CVE-2023-41892.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: low
Weaknesses: CWE-94 · Code InjectionNVD-CWE-noinfo

Metadata

Primary Vendor: CRAFTCMS
Published: 4/25/2025
Last Modified: 4/28/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2025-32432

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary