ACCORDING to CISA, the Known Exploited Vulnerabilities (KEV) Catalog currently shows one entry for Craft CMS: CVE-2025-32432, described as a Craft CMS code injection vulnerability that allows a remote attacker to execute arbitrary code. The entry notes that the vulnerability has a Date Added of 20 March 2026 and a Due Date of 3 April 2026. It also states that it is “Unknown” whether it is known to be used in ransomware campaigns.
Related notes provide links to the Craft CMS knowledge base, GitHub advisories, and the NVD entry for CVE-2025-32432. The KEV record lists CWE-94 as the related weakness and advises applying mitigations per vendor instructions, following applicable cloud guidance, or discontinuing use if mitigations are unavailable. This entry is part of CISA’s effort to prioritise vulnerabilities actively exploited in the wild to help organisations manage risk.