CVE-2025-32432 Craft CMS CVE debrief

Who should care

Craft CMS administrators, web application owners, security operations teams, managed service providers, and any organization that runs Craft CMS in production, especially internet-facing deployments.

Technical summary

The supplied corpus identifies CVE-2025-32432 as a Craft CMS code injection issue and confirms it is listed in CISA’s KEV catalog. The corpus does not include affected versions, attack prerequisites, or a fixed version, so the safest posture is to treat all known Craft CMS deployments as needing immediate review against the vendor advisory and the official CVE/NVD records.

Defensive priority

Critical

Recommended defensive actions

• Review the Craft CMS knowledge base advisory and the GitHub security advisory linked in the source notes for vendor-specific remediation steps.
• Apply mitigations per vendor instructions as soon as possible.
• If mitigations are unavailable, follow CISA BOD 22-01 guidance for cloud services or discontinue use of the product.
• Inventory all Craft CMS instances, including internet-facing and externally managed deployments.
• Validate remediation across environments and monitor for unexpected behavior or signs of compromise.

Evidence notes

Evidence in the supplied corpus comes from CISA’s KEV feed entry for Craft CMS. It records the vendor project as Craft CMS, product as Craft CMS, vulnerability name as Craft CMS Code Injection Vulnerability, dateAdded as 2026-03-20, dueDate as 2026-04-03, and requiredAction text directing mitigations or discontinuation if mitigations are unavailable. The corpus does not supply CVSS, affected versions, or exploitation details beyond KEV listing.

Official resources