VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-x12b-mjr9-sba2

Essentials
Severities (23)
References (7)
Severity details (22)
Exploits (2)
EPSS
History (1)

Vulnerability ID	VCID-x12b-mjr9-sba2
Aliases	CVE-2024-56145 GHSA-2p6p-9rc9-62j9
Summary	Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-94	Improper Control of Generation of Code ('Code Injection')
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.93926	https://api.first.org/data/v1/epss?cve=CVE-2024-56145
cvssv3.1	9.8	https://github.com/Chocapikk/CVE-2024-56145
cvssv4	9.3	https://github.com/Chocapikk/CVE-2024-56145
generic_textual	CRITICAL	https://github.com/Chocapikk/CVE-2024-56145
cvssv3.1	9.8	https://github.com/craftcms/cms
cvssv4	9.3	https://github.com/craftcms/cms
generic_textual	CRITICAL	https://github.com/craftcms/cms
cvssv3.1	9.8	https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
cvssv4	9.3	https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
cvssv4	9.3	https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
generic_textual	CRITICAL	https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
ssvc	Act	https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
cvssv3.1	9.8	https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
cvssv4	9.3	https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
cvssv4	9.3	https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
generic_textual	CRITICAL	https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
ssvc	Act	https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2024-56145
cvssv4	9.3	https://nvd.nist.gov/vuln/detail/CVE-2024-56145
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2024-56145
cvssv3.1	9.8	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145
cvssv4	9.3	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145
generic_textual	CRITICAL	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-56145
		https://github.com/Chocapikk/CVE-2024-56145
		https://nvd.nist.gov/vuln/detail/CVE-2024-56145
		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145
82e893fb794d30563da296bca31379c0df0079b3		https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3
GHSA-2p6p-9rc9-62j9		https://github.com/advisories/GHSA-2p6p-9rc9-62j9
GHSA-2p6p-9rc9-62j9		https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9

Data source	Metasploit
Description	This module exploits a Twig template injection vulnerability in Craft CMS by abusing the --templatesPath argument. The vulnerability allows arbitrary template loading via FTP, leading to Remote Code Execution (RCE).
Note	Stability: - crash-safe SideEffects: - artifacts-on-disk - ioc-in-logs Reliability: - repeatable-session
Ransomware campaign use	Unknown
Source publication date	Dec. 19, 2024
Platform	Linux,Unix
Source URL	https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/craftcms_ftp_template.rb

Data source	KEV
Date added	June 2, 2025
Description	Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.
Required action	Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due date	June 23, 2025
Note	https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 ; https://nvd.nist.gov/vuln/detail/CVE-2024-56145
Ransomware campaign use	Unknown

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://github.com/Chocapikk/CVE-2024-56145

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://github.com/Chocapikk/CVE-2024-56145

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://github.com/craftcms/cms

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://github.com/craftcms/cms

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/ Found at https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-06-06T03:55:30Z/ Found at https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-56145

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://nvd.nist.gov/vuln/detail/CVE-2024-56145

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-56145

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.99888
EPSS Score	0.93926
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:33:58.803941+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/56xxx/CVE-2024-56145.json	38.6.0