Share
## https://sploitus.com/exploit?id=SAINT:979E0A2287667D3B6923087817642694
Added: 03/25/2026  


### Background

CraftCMS is a content management system written in PHP. 

### Problem

A vulnerability in CraftCMS allows remote attackers to inject arbitrary PHP code into the session file and then execute it using a specially crafted request to generate-transform. 

### Resolution

Upgrade to CraftCMS 3.9.15, 4.14.15, or 5.6.17 or higher. 

### References

https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3   
https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/   


### Limitations

Exploit works on CraftCMS 4.x and 5.x. (3.x requires a known asset ID.)