CVE-2025-32432

This repository contains a functional PoC exploit for CVE-2025-32432, a pre-authentication RCE vulnerability in CraftCMS 4.x and 5.x. The exploit leverages PHP object injection via the asset transform generation feature to achieve remote code execution.

This repository contains a Go-based scanner for CVE-2025-32432, which checks for a deserialization vulnerability in Craft CMS. The tool sends a crafted payload to the target URL and checks for the presence of 'PHP Credits' in the response to determine vulnerability.

This is a functional exploit for CVE-2025-32432 targeting CraftCMS, leveraging session injection and deserialization to achieve remote code execution. The PoC includes multiple injection methods and enhanced detection for phpinfo disclosure and command execution.

This repository contains two Python scripts for exploiting CVE-2025-32432, a pre-authentication RCE vulnerability in CraftCMS. The scripts leverage session poisoning and deserialization gadgets to achieve remote code execution.

This repository contains a functional Python-based proof-of-concept exploit for CVE-2025-32432, a critical deserialization vulnerability in Craft CMS that allows unauthenticated remote code execution via the generate-transform endpoint. The script includes target validation, version detection, and exploit logic.

This Metasploit module exploits an unauthenticated RCE in Craft CMS via the image transform endpoint by injecting a PHP payload into the session and triggering execution through a Yii gadget chain.