CraftCMS generate-transform command injection

Added: 03/25/2026

Background

CraftCMS is a content management system written in PHP.

Problem

A vulnerability in CraftCMS allows remote attackers to inject arbitrary PHP code into the session file and then execute it using a specially crafted request to generate-transform.

Resolution

Upgrade to CraftCMS 3.9.15, 4.14.15, or 5.6.17 or higher.

References

https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3
https://sensepost.com/blog/2025/investigating-an-in-the-wild-campaign-using-rce-in-craftcms/

Limitations

Exploit works on CraftCMS 4.x and 5.x. (3.x requires a known asset ID.)
Back to exploit index