Share
## https://sploitus.com/exploit?id=SAINT:DFB1F0C50A2B0AC60933E16F6A11B341
Added: 03/25/2026  


### Background

CraftCMS is a content management system written in PHP. 

### Problem

A vulnerability in CraftCMS allows remote attackers to inject arbitrary PHP code into the session file and then execute it using a specially crafted request to generate-transform. 

### Resolution

Upgrade to CraftCMS 3.9.15, 4.14.15, or 5.6.17 or higher. 

### References

https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3   
https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/   


### Limitations

Exploit works on CraftCMS 4.x and 5.x. (3.x requires a known asset ID.)