CVE-2025-35939
published 2025-05-07CVE-2025-35939: Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an…
PriorityP180medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-06-23
Exploited in the wild
EPSS
1.12%
62.1th percentile
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and 4.15.3 have been released to address this issue.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 0 < 4.15.3 | 4.15.3 |
| craftcms | cms | >= 4.15.3 < 4.17.3 | 4.17.3 |
| craftcms | cms | >= 5.0.0-alpha.1 < 5.7.5 | 5.7.5 |
| craftcms | cms | >= 5.7.5 < 5.9.7 | 5.9.7 |
| craftcms | craft_cms | < 4.15.3 | 4.15.3 |
| craftcms | craft_cms | >= 4.15.3 < 4.17.3 | 4.17.3 |
| craftcms | craft_cms | >= 5.0.0 < 5.7.5 | 5.7.5 |
| craftcms | craft_cms | >= 5.7.5 < 5.9.7 | 5.9.7 |
| msrc | cbl2_kernel_5.15.186.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.200.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.202.1-1_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated requests that include PHP code or unusual payloads in the return URL parameter, which Craft CMS stores unsanitized in session files at /var/lib/php/sessions. ↗
- →Alert on session files at /var/lib/php/sessions (named sess_<value>) containing PHP code strings, as these may represent pre-positioned payloads for local file inclusion or code execution chaining. ↗
- →Detect chaining of CVE-2025-35939 with CVE-2024-58136 (as represented by CVE-2025-32432); look for LFI/RCE attempts referencing /var/lib/php/sessions paths following unauthenticated redirect requests to Craft CMS. ↗
- →Inspect Set-Cookie response headers from Craft CMS login redirects; the session value returned can be used to predict the server-side session filename (sess_<value>) where attacker-controlled content is stored. ↗
- ·The patch in Craft CMS 5.7.5 / 4.15.3 uses strip_tags() in src/web/User.php to sanitize return URLs, but this only removes HTML tags and does NOT filter URL schemes (e.g., javascript:), leaving a residual XSS risk (CVE-2026-31859) fixed only in 5.9.7 / 4.17.3. ↗
- ·CVE-2025-35939 is actively exploited in the wild and has been added to CISA's KEV catalog; federal agencies are required to remediate by 2025-06-23. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa6.9MEDIUM
osv6.9MEDIUM
vulncheck9.0CRITICAL
cisa9.8CRITICAL
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
cisa·2025-06-02·CVSS 9.8
CVE-2025-35939 [CRITICAL] CWE-472 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Vulnerability: Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Affected: Craft CMS Craft CMS
Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/craftcms/cms/pull/17220 ; https://nvd.nist.gov/vuln/detail/CVE-2025-35939
Remediation Due Date: 2025-06-23
Microsoft
dma-direct: Leak pages on dma_set_decrypted() failure
vendor_msrc·2024-05-14·CVSS 5.5
CVE-2024-35939 [HIGH] dma-direct: Leak pages on dma_set_decrypted() failure
dma-direct: Leak pages on dma_set_decrypted() failure
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
GHSA
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
ghsa·2026-03-11·CVSS 6.9
CVE-2026-31859 [MEDIUM] CWE-116 CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
### Summary
The fix for CVE-2025-35939 in `craftcms/cms` introduced a `strip_tags()` call in `src/web/User.php` to sanitize return URLs before they are stored in the session. However, `strip_tags()` only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like `javascript:alert(document.cookie)` contain no HTML tags and pass through `strip_tags()` completely unmodified, enabling reflected XSS when the return URL is rendered in an `href` attribute.
### Details
The patched code in is:
```php
public function setReturnUrl($url): void
{
parent::setReturnUrl(strip_tags($url));
}
```
`strip_tags()` removes HTML tags (e.g., ``, ``) from a string, but it is **not** a URL sanitizer
OSV
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
osv·2026-03-11·CVSS 6.9
CVE-2026-31859 [MEDIUM] CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
### Summary
The fix for CVE-2025-35939 in `craftcms/cms` introduced a `strip_tags()` call in `src/web/User.php` to sanitize return URLs before they are stored in the session. However, `strip_tags()` only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like `javascript:alert(document.cookie)` contain no HTML tags and pass through `strip_tags()` completely unmodified, enabling reflected XSS when the return URL is rendered in an `href` attribute.
### Details
The patched code in is:
```php
public function setReturnUrl($url): void
{
parent::setReturnUrl(strip_tags($url));
}
```
`strip_tags()` removes HTML tags (e.g., ``, ``) from a string, but it is **not** a URL sanitizer
OSV
Craft CMS stores arbitrary content provided by unauthenticated users in session files
osv·2025-05-08
CVE-2025-35939 [MEDIUM] Craft CMS stores arbitrary content provided by unauthenticated users in session files
Craft CMS stores arbitrary content provided by unauthenticated users in session files
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and
GHSA
Craft CMS stores arbitrary content provided by unauthenticated users in session files
ghsa·2025-05-08
CVE-2025-35939 [MEDIUM] CWE-472 Craft CMS stores arbitrary content provided by unauthenticated users in session files
Craft CMS stores arbitrary content provided by unauthenticated users in session files
Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at `/var/lib/php/sessions`. Such session files are named `sess_[session_value]`, where `[session_value]` is provided to the client in a `Set-Cookie` response header. Craft CMS stores the return URL requested by the client without sanitizing parameters. Consequently, an unauthenticated client can introduce arbitrary values, such as PHP code, to a known local file location on the server. Craft CMS versions 5.7.5 and
VulnCheck
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
vulncheck·2025·CVSS 9.0
CVE-2025-35939 [CRITICAL] CWE-472 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability
Craft CMS contains an external control of assumed-immutable web parameter vulnerability. This vulnerability could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136 as represented by CVE-2025-32432.
Affected: Craft CMS Craft CMS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.loginsoft.com/reports/annually/vulnerability-intellige
No detection rules found.
No public exploits indexed.
Bleepingcomputer
CISA warns of ConnectWise ScreenConnect bug exploited in attacks
blogs_bleepingcomputer·2025-06-03·CVSS 9.8
[CRITICAL] CISA warns of ConnectWise ScreenConnect bug exploited in attacks
## CISA warns of ConnectWise ScreenConnect bug exploited in attacks
## Ionut Ilascu
CISA is alerting federal agencies in the U.S. of hackers exploiting a recently patched ScreenConnect vulnerability that could lead to executing remote code on the server.
The agency is warning that four other security problems affecting ASUS routers and the Craft content management system (CMS) are also actively exploited.
## Improper authentication in ConnectWise ScreenConnect
On April 24, ConnectWise addressed the security issue, tracked as CVE-2025-3935, stating that the vulnerability could be exploited for a ViewState code injection attack.
The vendor notes that ASP.NET Web Forms rely on the ViewState component to preserve page and control state using base64-encoded data that is protected by machi
Wiz
CVE-2026-31859 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-31859 [MEDIUM] CVE-2026-31859 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31859 :
PHP vulnerability analysis and mitigation
Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3.
Source : NVD
## 6.9
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
PHP
Craft CMS
Has Public Exploit No
Has CISA KEV Exploit No
CI
https://github.com/craftcms/cms/pull/17220https://github.com/craftcms/cms/releases/tag/4.15.3https://github.com/craftcms/cms/releases/tag/5.7.5https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-147-01.jsonhttps://www.cve.org/CVERecord?id=CVE-2025-35939https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-35939
2025-05-07
Published
2025-06-02
Added to CISA KEV
Exploited in the wild