From 6e5bbf5e24b6954decbf211dabd64672523d3463 Mon Sep 17 00:00:00 2001
From: brandonkelly <brandon@pixelandtonic.com>
Date: Mon, 18 Nov 2024 16:00:07 -0800
Subject: [PATCH] Fixed an RCE vulnerability

---
 CHANGELOG.md        | 1 +
 src/helpers/App.php | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d1a75e3992f..3ac045ca0f0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Fixed a JavaScript error that could occur on element edit pages. ([#16055](https://github.com/craftcms/cms/issues/16055))
 - Fixed a Twig deprecation error. ([#16107](https://github.com/craftcms/cms/issues/16107))
 - Fixed a bug where `craft\services\Structures::fillGapsInElements()` wasn’t working properly if the elements weren’t passed in hierarchical order. ([#16085](https://github.com/craftcms/cms/issues/16085))
+- Fixed an RCE vulnerability.
 
 ## 4.13.0 - 2024-11-12
 
diff --git a/src/helpers/App.php b/src/helpers/App.php
index d10f5acfdcd..edb99ece931 100644
--- a/src/helpers/App.php
+++ b/src/helpers/App.php
@@ -11,6 +11,7 @@
 use craft\behaviors\SessionBehavior;
 use craft\cache\FileCache;
 use craft\config\DbConfig;
+use craft\console\Application as ConsoleApplication;
 use craft\db\Command;
 use craft\db\Connection;
 use craft\db\mysql\Schema as MysqlSchema;
@@ -272,7 +273,7 @@ public static function cliOption(string $name, bool $unset = false): string|floa
             throw new InvalidArgumentException("Invalid CLI option name: $name");
         }
 
-        if (empty($_SERVER['argv'])) {
+        if (!Craft::$app instanceof ConsoleApplication || empty($_SERVER['argv'])) {
             return null;
         }