Security researcher Chocapikk has published a Metasploit module for a critical zero-day vulnerability impacting Craft CMS, tracked as CVE-2025-32432 (CVSS 10). This remote code execution (RCE) flaw, when combined with another input validation vulnerability in the Yii framework (CVE-2024-58136), has been actively exploited in the wild to breach servers and steal sensitive data.

‍

‍