CISA has warned that a serious Craft CMS vulnerability, tracked as CVE-2025-35939, is now being actively exploited. This means that attackers who don't have permission can add PHP code to server-side files and possibly gain remote code execution when combined with other flaws. Because there have been confirmed attacks in the wild and the bug is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, all Craft CMS users and federal agencies are being told to patch or fix the problem right away.

CVE-2025-35939 is an external control of assumed-immutable web parameter issue (CWE-472) in Craft CMS. The problem is that Craft CMS stores a user-controlled "return URL" in PHP session files without cleaning it up first, treating it like a safe, fixed parameter.

An unauthenticated client can take advantage of this behavior to write any kind of content, even PHP payloads, to a known local file path on the web server. As long as this platform is still being used, it is important for any environment that uses Craft CMS to keep an eye on CISA's KEV updates and vendor advisories. In Google, make ZeroOwl your preferred source.