CVE-2024-56145

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3	Patch
https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9	Vendor Advisory
https://github.com/Chocapikk/CVE-2024-56145	Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::

History

03 Jun 2025, 20:48

Type	Values Removed	Values Added
References	~~() https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3 -~~	() https://github.com/craftcms/cms/commit/82e893fb794d30563da296bca31379c0df0079b3 - Patch
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-2p6p-9rc9-62j9 - Vendor Advisory
References	~~() https://github.com/Chocapikk/CVE-2024-56145 -~~	() https://github.com/Chocapikk/CVE-2024-56145 - Exploit
First Time		Craftcms craft Cms Craftcms
CPE		cpe:2.3:a:craftcms:craft_cms::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

30 May 2025, 14:15

Type	Values Removed	Values Added
References		() https://github.com/Chocapikk/CVE-2024-56145 -

19 Dec 2024, 21:15

Type	Values Removed	Values Added
Summary		(es) Craft es un CMS flexible y fácil de usar para crear experiencias digitales personalizadas en la web y más allá. Los usuarios de las versiones afectadas se ven afectados por esta vulnerabilidad si su configuración php.ini tiene `register_argc_argv` habilitado. Para estos usuarios existe un vector de ejecución de código remoto no especificado. Se recomienda a los usuarios que actualicen a la versión 4.13.2 o 5.5.2. Los usuarios que no puedan actualizar deben deshabilitar `register_argc_argv` para mitigar el problema.
Summary	(en) Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 4.13.2 or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.	(en) Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.

18 Dec 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-18 21:15

Updated : 2025-06-03 20:48

NVD link : CVE-2024-56145

Mitre link : CVE-2024-56145

CVE.ORG link : CVE-2024-56145

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

9.8 /10