Vulnerability Detail

Enriched intelligence for a single CVE

PRO Back to KEVs

9.3

CVSS
Critical

CVE-2024-56145

PUBLISHED

RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms

1 day faster than CISA KEV

Exploited in the wild PoC available Remote Low complexity No user interaction

Vendor: craftcms
Product: cms
Published: Dec 18, 2024
EPSS: 93.9% · 100% pctl

Automate This Intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has `register_argc_argv` enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable `register_argc_argv` to mitigate the issue.

php cisa nuclei_scanner

Weaknesses (CWE)

CWE-94

Improper Control of Generation of Code ('Code Injection')

CVSS Scores

CVSS v4.0 9.3 Critical

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Status

Exploited in the wild

Recorded 2026-06-01 13:30:39 UTC · CISA

Proof of concept available

Recorded 2024-12-22 11:53:04 UTC · GitHub

References

Known Exploited Vulnerability Sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CVE First	2026-06-01 10:30 UTC
CISA	2026-06-02 14:07 UTC

Scanner Integrations

Scanner	Reference	Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/craftcms_ftp_template.rb	Apr 28, 2025
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-56145.yaml	Apr 25, 2025

Potential Proof of Concepts

These PoCs are unverified and could contain malware. Use at your own risk.

Sachinart/CVE-2024-56145-craftcms-rce

github · Created 2024-12-22 11:53:04 UTC · 2 stars

CVE-2024-56145 SSTI to RCE - twig templates

Chocapikk/CVE-2024-56145

github · Created 2024-12-20 03:34:01 UTC · 42 stars

Unauthenticated RCE on CraftCMS when PHP `register_argc_argv` config setting is enabled

CVE-2024-56145

nuclei · Created Unknown

craftcms_ftp_template

metasploit · Created Unknown

Metasploit module for CVE-2024-56145

Timeline

KEV confirmed by CISA

2026-06-02 14:07 UTC
Added to KEVIntel

2026-06-01 10:30 UTC
Detected by Metasploit

2025-04-28 15:02 UTC
Detected by Nuclei

2025-04-25 00:00 UTC
Proof of Concept Exploit Available

2024-12-22 11:53 UTC
CVE Published to Public

2024-12-18 20:37 UTC
CVE ID Reserved

2024-12-16 18:04 UTC