CVE-2023-41892
10.093.94%
Crafting Chaos: The Unauthenticated RCE in Craft CMS (CVE-2023-41892)
Amit Schendel
Senior Security ResearcherJan 7, 2026·6 min read·3 visits
Active Exploitation
Executive Summary (TL;DR)
Craft CMS developers put the cart before the horse—specifically, they executed object instantiation logic *before* checking if the user was allowed to be there. This 10.0 CVSS vulnerability allows unauthenticated attackers to turn a Craft CMS server into a shell playground using a simple JSON payload.
A critical, unauthenticated Remote Code Execution (RCE) vulnerability in Craft CMS caused by a logic flow error in controller lifecycle methods. Attackers can execute arbitrary PHP code via a crafted JSON payload.
Official Patches
Technical Appendix
CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:LEPSS Probability
93.94%
Top 99% most exploited
Affected Systems
Craft CMS
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Craft CMS Pixel & Tonic | >= 4.0.0-RC1, <= 4.4.14 | 4.4.15 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-94 (Code Injection) |
| CVSS v3.1 | 10.0 (Critical) |
| Attack Vector | Network (Unauthenticated) |
| EPSS Score | 93.94% |
| Exploit Status | Active / Weaponized |
| Impact | Remote Code Execution |
MITRE ATT&CK Mapping
CWE-94
Code Injection
Improper Control of Generation of Code ('Code Injection')
Known Exploits & Detection
Vulnerability Timeline
Initial fix committed to repository
2023-06-27
Craft CMS 4.4.15 Released (Patch Available)
2023-07-03
CVE-2023-41892 Published
2023-09-13
Metasploit Module Released
2023-12-22