VYPR
Critical severityCISA KEVNVD Advisory· Published Dec 18, 2024· Updated Oct 21, 2025

RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms

CVE-2024-56145

Description

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Users of affected versions are affected by this vulnerability if their php.ini configuration has register_argc_argv enabled. For these users an unspecified remote code execution vector is present. Users are advised to update to version 3.9.14, 4.13.2, or 5.5.2. Users unable to upgrade should disable register_argc_argv to mitigate the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/cmsPackagist
>= 5.0.0-RC1, < 5.5.25.5.2
craftcms/cmsPackagist
>= 4.0.0-RC1, < 4.13.24.13.2
craftcms/cmsPackagist
>= 3.0.0, < 3.9.143.9.14

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.