## https://sploitus.com/exploit?id=SAINT:DFB1F0C50A2B0AC60933E16F6A11B341
Added: 03/25/2026
### Background
CraftCMS is a content management system written in PHP.
### Problem
A vulnerability in CraftCMS allows remote attackers to inject arbitrary PHP code into the session file and then execute it using a specially crafted request to generate-transform.
### Resolution
Upgrade to CraftCMS 3.9.15, 4.14.15, or 5.6.17 or higher.
### References
https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/
### Limitations
Exploit works on CraftCMS 4.x and 5.x. (3.x requires a known asset ID.)