CVE-2025-68455
published 2026-01-05CVE-2025-68455: Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated…
PriorityP351high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.81%
52.4th percentile
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 4.0.0-RC1 < 4.16.17 | 4.16.17 |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.21 | 5.8.21 |
| craftcms | craft_cms | < 4.16.18 | 4.16.18 |
| craftcms | craft_cms | < 5.8.22 | 5.8.22 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | >= 4.0.0.1 < 4.16.17 | 4.16.17 |
| craftcms | craft_cms | >= 5.0.1 < 5.8.21 | 5.8.21 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.1CRITICAL
osv9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
osv·2026-01-05·CVSS 9.1
CVE-2025-68455 [CRITICAL] Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Note that attackers must have administrator access to the Craft Control Panel for this to work.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Resources:
https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
### Summary
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team deni
GHSA
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
ghsa·2026-01-05·CVSS 9.1
CVE-2025-68455 [CRITICAL] CWE-470 Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Note that attackers must have administrator access to the Craft Control Panel for this to work.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Resources:
https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef
https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7
https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
### Summary
This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team deni
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-25498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-25498 [HIGH] CVE-2026-25498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25498 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-supplied configuration data before passing it to Craft::createObject(). This allows authenticated administrators to inject malicious Yii2 behavior configurations that execute arbitrary system commands on the server. This vulnerability represents an unpatched variant of the behavior injection vulnerability addressed in CVE-2025-68455, affecting different endpoints through a separate code path. This vulnerability is fixed in 5.8.22.
Source : NVD
## 8.
Wiz
CVE-2025-68455 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-68455 [HIGH] CVE-2025-68455 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68455 :
PHP vulnerability analysis and mitigation
Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 are vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior. Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Source : NVD
## 8.6
Score
Published January 5, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
PHP
Craft CMS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 78.7
Exploitation Probability (EPSS) 1.2
Affected packages and li
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fefhttps://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
2026-01-05
Published