CVE-2024-56145 Craft CMS CVE debrief

Who should care

Craft CMS administrators, security teams, and service owners running public-facing or cloud-hosted Craft CMS instances should prioritize this immediately. Asset managers and incident response teams should also review exposure, because CISA has placed the CVE in KEV, indicating known exploitation.

Technical summary

The supplied corpus identifies the issue as a code injection vulnerability in Craft CMS. No CVSS score, affected version range, or exploit mechanics are included in the provided data. The strongest technical signal available here is CISA's KEV entry, which confirms the vulnerability is known to be exploited and elevates the need for vendor-directed remediation.

Defensive priority

Urgent

Recommended defensive actions

• Review the official Craft CMS security advisory referenced by CISA and apply the vendor-recommended fix or mitigation as soon as possible.
• Inventory all Craft CMS installations, with special attention to internet-facing and cloud-hosted systems.
• Follow CISA BOD 22-01 guidance for cloud services where applicable.
• If a safe mitigation is not available, isolate or discontinue use of the affected product until a fix can be applied.
• Validate remediation before the CISA KEV due date of 2025-06-23.

Evidence notes

This debrief is grounded in the supplied CISA KEV source item for CVE-2024-56145, which names Craft CMS and classifies the issue as a code injection vulnerability. The corpus confirms KEV inclusion on 2025-06-02 and a remediation due date of 2025-06-23, but does not provide CVSS, affected versions, or exploitation details beyond the known-exploited designation. CISA's notes reference the Craft CMS GitHub security advisory and the NVD entry.

Official resources