Provides security patches for out-of-date Craft CMS installs.
Warning
This extension only attempts to mitigate high-severity vulnerabilities, and is not a substitute for keeping Craft CMS up-to-date. Maintaining a regular update cadence to ensure Craft CMS is kept up-to-date on a supported version is highly recommended.
This extension is compatible with Craft CMS 3.6.0+, 4.0.0+, and 5.0.0+.
To install, run the following command within a Craft 3/4/5 project:
composer require craftcms/security-patches:dev-mainNote If you get the following prompt, make sure to answer
y:yiisoft/yii2-composer contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins Do you trust "yiisoft/yii2-composer" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json)
CVE-2025-32432(RCE)- Affects Craft CMS 3.0.0 – 3.9.14, 4.0.0 – 4.14.14, and 5.0.0 – 5.6.16
- Fixed in Craft CMS 3.9.15, 4.14.15, and 5.6.17
CVE-2024-56145- Affects Craft CMS 3.0.0 – 3.9.13, 4.0.0 – 4.13.1, and 5.0.0 – 5.5.1
- Fixed in Craft CMS 3.9.14, 4.13.2, and 5.5.2