⚠ Actively exploited
Added to CISA KEV on 2025-06-02. Federal agencies required to patch by 2025-06-23. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-35939External Control of Assumed-Immutable Web Parameter in CMS

CWE-472External Control of Assumed-Immutable Web ParameterCWE-116Improper Encoding or Escaping of OutputCWE-79Cross-site Scripting13 documents9 sources
Severity
6.9MEDIUMNVD
VulnCheck9.0CISA9.8
EPSS
33.1%
top 3.10%
CISA KEV
KEV
Added 2025-06-02
Due 2025-06-23
Exploit
No known exploits
Affected products
3
Craft CMSCraftcms Craft CMSCraftcms CMS
Timeline
PublishedMay 7
KEV addedJun 2
KEV dueJun 23
Latest updateMar 11
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at '/var/lib/php/sessions'. Such session files are named 'sess_[session_value]', where '[session_value]' is provided to the client in a 'Set-Cookie' response header. Craft CMS stores the return URL request

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

CVEListV5craft/cms< 5.7.5+1
Packagistcraftcms/cms4.15.34.17.3+3
NVDcraftcms/craft_cms5.0.05.7.5+3
CVEListV5craftcms/cms>= 4.15.3, < 4.17.3, >= 5.7.5, < 5.9.7+1

Patches

Patch: github.com

🔴Vulnerability Details

7
GHSA
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization2026-03-11
CVEList
Craft has Reflective XSS via incomplete return URL sanitization2026-03-11
OSV
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization2026-03-11
OSV
Craft CMS stores arbitrary content provided by unauthenticated users in session files2025-05-08
GHSA
Craft CMS stores arbitrary content provided by unauthenticated users in session files2025-05-08

📋Vendor Advisories

2
CISA
Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability2025-06-02
Microsoft
dma-direct: Leak pages on dma_set_decrypted() failure2024-05-14

🕵️Threat Intelligence

2
Bleepingcomputer
CISA warns of ConnectWise ScreenConnect bug exploited in attacks2025-06-03
Wiz
CVE-2026-31859 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-35939 — Craft CMS vulnerability | cvebase